Skip to main content

Manage security policies

Assign security policies to application profiles or SCA agent workspaces to assess the application's compliance with your policy. To configure policies with specific security requirements, create custom policies.

Optionally, set default policies to automatically assign to all newly created applications or SCA agent workspaces. When you select the business criticality for the application, the Veracode Platform automatically assigns a policy to an application.

note

You can't change the built-in policies, but you can copy them to create custom policies, and then configure the copies.

You can also manage policies using the Policy API.

Prerequisites

To assign policies or manage custom policies, you must have the Policy Administrator role.

Assign a policy to an application

Assign a built-in policy or a custom policy to an application profile. If you are using SCA Agent-based Scan, assign a policy to a workspace.

Assigning multiple policies to the same application profile is not supported.

note

Changing the policy for an application applies to all future scans and updates the policy assessment of the most recent scan for the application.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. On the Applications page, select the application name to open the application overview.
  3. In the left navigation menu, select Edit Profile.
  4. In the Policy field, select the policy you want to set for the application from the dropdown menu.
  5. Optionally, to see details about the selected policy, select View Policy Details.
  6. To assign the selected policy, select SUBMIT.

Assign a policy to an SCA workspace

Assign a built-in policy or a custom policy to an SCA agent workspace.

Before you begin:

You must have the Security Lead, Workspace Administrator, or Workspace Editor role.

To complete this task:

  1. In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
  2. Select Agent-Based Scan.
  3. Select a workspace.
  4. Select Policy Assignment.
  5. Select a policy. The available options include the built-in policies and custom policies that include rules applicable to agent-based scans.
  6. Select Save.

Set a default policy for applications

Set a built-in policy or custom policy as the default policy to automatically assign to newly created applications for a given business criticality.

Using a default policy ensures consistent policy enforcement across all application profiles.

To complete this task:

  1. Select Policies > Policy Settings.
  2. For each business criticality, select the policy to be assigned to an application by default.
  3. Select Save.
  4. Optionally, you can subscribe to or unsubscribe from Veracode Platform notification emails related to events that impact your policies on the Notification Settings page.

Set a default policy for SCA workspaces

Set a built-in policy or custom policy as the default policy to automatically assign to newly created SCA agent workspaces.

Using a default policy ensures consistent policy enforcement across all SCA agent workspaces.

Before you begin:

Your organization must have activated the Unified Policy feature, which replaces SCA agent rules.

To complete this task:

  1. Select Policies > Policy Settings.
  2. Select the default policy to assign to a workspace.
  3. To assign all existing workspaces to the selected policy, select Update Existing Workspaces on Save.
  4. Select Save.

Create a custom policy

Policies must include one or more constraints that define the security requirements that scanned applications must meet to pass the policy.

To complete this task:

  1. In the Veracode Platform, select Policies > Policies.

  2. Select Add New Policy.

  3. Enter the name of the new policy. This policy name appears in these locations:

    • Applications list
    • Application profile
    • Reports
    • Results from the Results and Archer APIs

  4. Enter a detailed description of the policy. This policy description appears in the application scan results report.

  5. Optionally, to use this policy to calculate scan results that vendors share with you, select Use as Vendor Policy.

  6. Select Next.

  7. Add the policy constraints that you want to include in the policy.

  8. Select Next.

  9. Select the scan requirement frequency for either all scan types or specific scan types.

  10. Select Finish.

After you successfully create the policy, the Veracode Platform displays a confirmation message.

important

To download a policy in the Rego format, create the policy for Container and IaC scans only. If a policy contains rules for both SCA and Container and IaC scans, you can't download it.

Copy a policy

If you want to create a new policy that is similar to an existing policy, you can copy that policy and make the changes you want. Copying a policy can simplify the process of creating a new policy.

To complete this task:

  1. In the Veracode Platform, select Policies > Policies.
  2. Find the policy you want to copy from the Policies table.
  3. From the Actions menu, select Copy Policy.
  4. Edit the policy name and description and select Next.
  5. Add, delete, or edit any of the policy constraints and select Next.
  6. Make any necessary changes to the scan requirements and select Finish. The new policy is available in the Veracode Platform.

Edit a custom policy

You can edit a custom policy at any time. If you edit a policy that is assigned to any applications, Veracode automatically re-evaluates the applications against the updated policy.

To complete this task:

  1. In the Veracode Platform, select Policies > Policies.
  2. Find the policy you want to edit from the Policies table.
  3. Select the Actions menu and select Edit Policy.
  4. Make any necessary changes to the policy name or description and select Next.
  5. Add, delete, or edit any of the policy constraints and select Next.
  6. Make any necessary changes to the scan requirements and select Finish.

After you successfully edit the policy, the Veracode Platform displays a confirmation message and sends an email to members of the team associated with any applications to which the policy is assigned.

Delete a custom policy

You can delete any custom policy, but you cannot delete the built-in policies.

To complete this task:

  1. In the Veracode Platform, select Policies > Policies.
  2. Find the policy you want to delete from the Policies table.
  3. Select Actions > Delete Policy.
  4. If the policy is assigned to any applications, select another policy from the Select New Policy dropdown menu to replace it, and select Next.
  5. Select Delete.
Last updated on