Skip to main content

About Veracode default rules for agent-based scanning


If your organization has activated the Unified Policy feature, which replaces agent rules, the default policy for workspaces is the Veracode Recommended SCA Very High policy. You can change the default policy in your policy settings.

If you do not customize the workspace rules, Veracode SCA applies the default rules.

Using the Veracode default rules, issues get created when:

  • A vulnerability exists in either direct or transitive libraries.
  • A direct library is out of date.
  • A direct library contains a high-risk license.

Additional controls that you can use with custom rules include:

  • A library has multiple licenses.
  • A library has no license.

The issue severities are set as follows:

  • Vulnerability issues, direct or transitive: the CVSS score of the vulnerability
  • Outdated library issues, direct: 3.0