Skip to main content

Veracode SCA best practices for reviewing compliance for periodic releases

Veracode recommends that you follow these best practices to effectively use Veracode Software Composition Analysis to review the security policy compliance of your code before releasing it to production.

Perform a Veracode SCA upload scan as part of a Static Analysis

Veracode analyzes your own code and third-party code in a single static scan. See About Veracode SCA Upload Scans for more information.

You can link the projects you create for Veracode SCA agent-based scans to your Veracode application profiles to enable a unified view of your results for all Veracode scans. You must perform an upload scan to allow Veracode to evaluate the policy status of third-party libraries included in an application profile through a linked project.

Use the Findings REST API to view scan results

To access details about your Veracode SCA findings without logging in to the Veracode Platform, use the Findings REST API.

Include SCA rules in your application security policies

You can add Veracode SCA requirements in your policies to restrict the usage of vulnerable third-party components. You can also enforce that the application must meet minimum Veracode Levels, CVSS scores, and grace period requirements to pass policy.

Search the Veracode Vulnerability database before using a library

The Veracode Vulnerability Database provides extensive details of the security impact of including open-source libraries in your code.