Skip to main content

Application security policies

You can define and enforce a uniform application security policy across all applications in a portfolio for your organization.

The elements of an application security policy include:

  • The target Veracode Level for the application.
  • Types of findings that should not be in the application. You can restrict findings by severity, CWE category, CWE ID, license risk, CVSS score, or a common standard, including OWASP, OWASP Mobile, CWE Top 25, or PCI.
  • Minimum Veracode security score.
  • Component blocklist for Veracode SCA findings.
  • Required scan types and frequencies.
  • Time period in which findings can impact policy compliance.
  • Grace period within which you must fix any policy-relevant findings.

You can create, edit, or delete a policy. You must have the Policy Administrator role to perform policy maintenance activities.

You can also manage policies with the Policy API.


You are not required to create custom policies because the Veracode Platform includes two sets of default policies that you can choose from when implementing your security policy.

Policy constraints

You can apply these main policy constraints: rules, required scans, evaluation timeframes, and remediation grace periods.

Evaluating applications against a policy

When an application is evaluated against a policy, it can receive one of these four assessments:

Not Assessed

The application has not yet had a scan published.


The application has passed all the aspects of the policy, including rules, required scans, and grace period.

Did Not Pass

The application has not completed all required scans; has not achieved the target Veracode Level; or has one or more policy relevant flaws that have exceeded the grace period to fix.

Conditional Pass

The application has one or more flaws related to a policy and these flaws have not yet exceeded the grace period to fix. All sandbox scans also have this status.