I have a case where our NXIQ is broken into multiple Orgs under the Root. These orgs have different requirements and therefore policy levels, so we have slightly different policies on each org. We have new applications spring up with some regularity and so have configured the “Auto-create application” option in the server.
Unfortunately, this means that we need to upload all new applications to a common org as a “dumping ground” with a lowest-common denominator policy before manually transferring them to the correct org (and the correct policy). This means that the initial upload goes to the wrong org with potentially the wrong policy.
My ask is to allow the maven plugin to be configured to have an Org or OrgID passed in and the plugin will create the application in the correct org (if it doesn’t exist) and then scan against the correct org’s policy. Without this, we can’t put our apps into a blocking mode as the first scan is always non-blocking, but subsequent ones may be and we have to frequently check in with NXIQ to see new applications.
I will lay odds that this change may also require that an api user that is set up for scanning apps in a CI/CD pipeline would need the Create Apps permission, or you would need to move the “Auto-create” switch into a role, rather than a global configuration.