Skip to main content

Policy REST API rules properties

You use JSON properties to configure and apply policy rules with the Policy REST API.

Specify rules with the finding_rules and value keys. Each rule must contain the type, scan_type, and value key-value pairs, as shown in this example:

 "finding_rules": [
{
"type":"MAX_SEVERITY",
"scan_type":[
"DYNAMIC",
"MANUAL",
"STATIC"
],
"value":"3"
}
]

This table describes the JSON properties you use when creating and updating policy rules.

NameDescription
FAIL_ALLEnter a comma-separated list of one or more of these scan types: Static Analysis, Dynamic Analysis, Manual Penetration Testing. To pass policy, applications must not contain findings from one or more of the specified scan types.
CWEEnter a comma-separated list of CWE IDs.To pass policy, applications must not contain the specified CWE IDs.
CATEGORYEnter a comma-separated list of CWE categories.To pass policy, applications must not contain CWEs in the specified categories.
MAX_SEVERITYEnter a value from 0 to 5 to specify the finding-severity rating.To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types.
CVSSEnter a CVSS score. To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score. This rule only applies to findings from Veracode SCA upload scans.
CVEEnter a comma-separated list of CVE IDs.To pass policy, applications must not contain findings with the specified CVE IDs.
BLACKLISTTo pass policy, applications must not contain any findings from your organization blocklist.
MIN_SCOREEnter a value between 1 and 100.To pass policy, applications must meet or exceed the specified score value.
SECURITY_STANDARDEnter a comma-separated list of one or more of these security standards:
  • cert is the CERT Coding Standard
  • cwe_veracode is the Auto-Update CWE Top 25
  • OWASP is the OWASP Top Ten 2017
  • owasp_mobile is the OWASP Mobile Top 10
  • pci is the PCI Security Standard
  • cwe_2019 is the CWE Top 25 2019
  • owasp_13 is the OWASP Top 10 2013
  • sans is the CWE/SANS Top 25 2011
CWE Top 25 2019, OWASP Top 10 2013, and CWE/SANS Top 25 2011 are legacy standards. For new policies, Veracode recommends that you use the standards for Latest CWE Top 25 and OWASP Top 10 2017.
To pass policy, applications must not contain any findings defined in the specified standards.
If you enter cwe_veracode, Veracode automatically reassesses the application when it implements a new version of the CWE Top 25 standard.
Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.
LICENSE_RISKEnter a comma-separated list of one or more of these license risk ratings: Low, Medium, High, Non-OSS, Unrecognized
To pass policy, applications must not contain any findings with the specified license risk ratings.
This rule only applies to findings from Veracode SCA upload scans.