Manage workspace rules
If your organization has activated the Unified Policy feature, which replaces agent rules, you can create a custom policy that uses agent-based scan rules, and assign it to a workspace or set it as the default policy for all workspaces. For example, you can copy the Veracode Recommended SCA Very High policy and edit it into a custom SCA policy.
Workspace rules help you manage your software delivery workflow. Rules are sets of controls to which your codebase must adhere. Default rules are hard-coded and applied to all workspaces.
When projects violate a control, you can choose to create an issue to track a problem, break the build, or both. Set your own severity for different kinds of control violations. SCA agents use this severity for issues and as the exit code when a build breaks.
To configure the controls, create custom rules.
At scan time, the scanner identifies open-source libraries in your code and any transitive library dependencies, generates a dependency graph and a call graph, and then sends the results of the scan to the Veracode Platform. Veracode checks the scan results against each control in the rule. If a control fails, the specified action for that control is triggered, and the highest severity of the violated controls returns as the exit code.
Organization rules
If your organization has activated the Unified Policy feature, which replaces agent rules, set the default policy for workspaces.
Organization rules allow you to apply the same set of controls to all of your workspaces. If your organization enforces organization rules, you cannot set custom rules at the workspace level. If your organization has configured organization rules but does not enforce them, you can select the organization rules when configuring the rules for a workspace.
Default rules
If your organization has activated the Unified Policy feature, which replaces agent rules, the default policy for workspaces is the Veracode Recommended SCA Very High policy. You can change the default policy in your policy settings.
If you do not customize the workspace rules, Veracode SCA applies the default rules.
Using the Veracode default rules, issues get created when:
- A vulnerability exists in either direct or transitive libraries.
- A direct library is out of date.
- A direct library contains a high-risk license.
Additional controls that you can use with custom rules include:
- A library has multiple licenses.
- A library has no license.
The issue severities are set as follows:
- Vulnerability issues, direct or transitive: the CVSS score of the vulnerability
- Outdated library issues, direct: 3.0