Built-in security policies
To help organizations begin evaluating their applications against security standards, we provide pre-configured built-in policies that you can assign to your applications or assign to your SCA agent workspaces.
Built-in policies are available for Static Analysis, Dynamic Analysis, SCA Agent-based Scan.
You can set a built-in policy as the default policy for newly created applications or workspaces.
The constraints are pre-defined in the built-in policies, which you can't change, but you can create a copy of a built-in policy, to create a custom policy, and configure the constraints in the copy.
Veracode recommended policies
Recommended policies assess your applications based on their business criticality. Once your teams are familiar with these policies, consider creating your own custom policies.
The following table lists the recommended policies. To learn about the Target VL (Veracode Levels), see About Veracode Levels.
The recommended policies are named after Veracode's business criticality ratings, not finding severity ratings.
| Policy name | Target VL | Flaw severities | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|---|
| Veracode Recommended Very High | VL5 | No Medium or above | 90 | Static (quarterly) Manual (annually) | 0 |
| Veracode Recommended High | VL4 | No Medium or above | 80 | Static (quarterly) | 0 |
| Veracode Recommended Medium | VL3 | No High or above | 70 | Static (quarterly) | 0 |
| Veracode Recommended Low | VL2 | No Very High or above | 60 | Any (semi-annually) | 0 |
| Veracode Recommended Very Low | VL1 | Any (once) | 0 | ||
| Veracode Recommended Very High + SCA | VL5+SCA | No Medium or above | 90 | Static (quarterly) Manual (annually) | 0 |
| Veracode Recommended High + SCA | VL4+SCA | No Medium or above | 80 | Static (quarterly) | 0 |
| Veracode Recommended Medium + SCA | VL3+SCA | No High or above | 70 | Static (quarterly) | 0 |
| Veracode Recommended Mobile Policy | Static (quarterly) | 0 | |||
| PCI 3.2.1 | No High or above OWASP Top 10 CWE Top 25 CERT | Any (once) | 0 |
Veracode transitional policies
Transitional policies are no longer recommended. They were originally created to establish a baseline Security Quality Score for applications without policies.
Transitional policies don't support grace periods. Without a grace period, the Security Quality Score is effective as soon as the scan results are published.
The following table lists the transitional policies. To learn about the Target VL (Veracode Levels), see About Veracode Levels.
| Policy name | Target VL | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|
| Veracode Transitional Very High | VL1 | 90 | Any (Once) | 0 |
| Veracode Transitional High | VL1 | 80 | Any (Once) | 0 |
| Veracode Transitional Medium | VL1 | 70 | Any (Once) | 0 |
| Veracode Transitional Low | VL1 | 60 | Any (Once) | 0 |
| Veracode Transitional Very Low | VL1 | 50 | Any (Once) | 0 |
Built-in policy for SCA Agent-based Scan
By default, the Veracode Platform applies the Veracode Recommended SCA Very High policy to SCA agent workspaces.
The following table lists the rules in this policy.
| Rule type | Requirement | Advanced options |
|---|---|---|
| Findings by Severity | Low and above are not allowed | Not applicable. This rule does not apply to SCA agent-based scans. |
| Vulnerability Severity | Very High are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | High are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Medium are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Low are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Component License | High | Dependency: Direct Non-OSS Licenses Unrecognized Licenses: Allowed Component with Multiple Licenses: All licenses must meet requirements Build Action: Warning Override Severity: No |
| Component Version | Outdated | Dependency: Direct Build Action: Warning Override Severity: No |