You can define and enforce a uniform application security policy across all applications in a portfolio for your organization.
- The target Veracode Level for the application.
- Types of findings that should not be in the application. You can restrict findings by severity, CWE category, CWE ID, license risk, CVSS score, or a common standard, including OWASP, OWASP Mobile, CWE Top 25, or PCI.
- Minimum Veracode security score.
- Component blocklist for Veracode SCA findings.
- Required scan types and frequencies.
- Time period in which findings can impact policy compliance.
- Grace period within which you must fix any policy-relevant findings.
You can also manage policies with the Policy API.
You can apply these main policy constraints: rules, required scans, evaluation timeframes, and remediation grace periods.
Evaluating Applications Against a Policy
- Not Assessed
- The application has not yet had a scan published.
- The application has passed all the aspects of the policy, including rules, required scans, and grace period.
- Did Not Pass
- The application has not completed all required scans; has not achieved the target Veracode Level; or has one or more policy relevant flaws that have exceeded the grace period to fix.
- Conditional Pass
- The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.