Skip to main content

Applying grace periods to a policy

When creating policies, you can define remediation grace periods for Minimum Scan Score, Component Blocklist Enforcement, Component Licenses, and Vulnerability CVSS Score rules. You can also specify grace periods by severity that apply to Findings by Severity, Security Standard, Findings by CWE ID, and Findings in CWE Category rules.

A remediation grace period is the amount of time in which you can fix or mitigate findings or raise the score for the application. During the grace period, the application passes policy on the condition that you fix or mitigate the affected findings or the scan meets the minimum score rule. Veracode applies the grace period starting from the first found date or, if re-opened, the last re-opened date. After the grace period expires, if you have not fixed or mitigated the findings, the application no longer passes policy. Veracode monitors grace periods as a date associated with each finding that persists across application scans.

If you set a grace period of 0 for a certain severity or rule, Veracode evaluates applications with findings that violate the rule immediately as not passing the policy.


Grace periods only apply to findings that a custom rule defines as not allowed. For example, unless you have a custom rule that specifies that Informational findings are not allowed, Veracode ignores any grace period value you set for Informational findings.

When a grace period approaches its expiration date, Veracode sends a notification to the team associated with the application. When you apply a new policy to the application, Veracode recalculates the grace period due date for findings.

For more information specific to Veracode SCA rules, see Apply grace periods to Veracode SCA policy rules.

First found date

Veracode uses the first found date for a finding to determine whether the finding is within its grace period. To calculate the first found date, Veracode uses the following information:

Static and Dynamic findings

Date when Veracode first identifies a finding in any sandbox within an application, regardless of whether you have promoted the sandbox or evaluated it against a policy.

SCA findings

The date when one of the following events occurs:

  • A Veracode scan detects a library with a vulnerability.
  • A CVE for a vulnerability within a library is published in any sandbox within an application, regardless of whether you have promoted the sandbox or evaluated it against a policy.

If the vulnerable library is removed then later re-added, the first found date resets to the date the library was re-added.