About policy rules

When creating a policy, you can add several rules that applications must follow to pass the policy.

You can also apply rules with the Policy API.

Rule	Description	Applies to Static Analysis, Dynamic Analysis, and Manual Penetration Testing scans	Applies to Software Composition Analysis (SCA) scans
Minimum Scan Score	Enter a value between 1 and 100. To pass policy, applications must meet or exceed the specified score value.	X
Security Standard	Select one or more of these security standards: PCI, OWASP, OWASP Mobile, CWE Top 25, or CERT. To pass policy, applications must not contain any findings defined in the selected standards. If you select the Auto-Update OWASP, Auto-Update CWE Top 25, or Auto-Update CERT requirement, Veracode automatically reassesses the application when it implements a new version of that specific standard. If you select the Auto-Update PCI requirement, Veracode automatically reassesses the application when it implements a new version of the OWASP, CWE Top 25, or CERT standards. CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.	X
Findings with CWE ID	Search in the CWEs table and select one or more CWE IDs. To pass policy, applications must not contain the specified CWE IDs.	X
Findings in CWE Category	Select one or more CWE categories. To pass policy, applications must not contain CWEs in the specified categories.	X
Findings within Scan Type	Select one or more of these scan types: Static Analysis, Dynamic Analysis, or Manual Penetration Testing. To pass policy, applications must not contain findings from one or more of the specified scan types.	X
Findings by Severity	Select the scan type options and select a severity rating. To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types.	X	SCA upload scans only
Component Blocklist Enforcement	To pass policy, applications must not contain any findings from your organization blocklist. The list of blocklisted components appears after you add this rule.		SCA upload scans only
Vulnerability CVSS Score	Select a CVSS score. To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score. To avoid having conflicting requirements, do not include a Findings by Severity rule for Veracode SCA findings in your policy.		SCA upload scans only
Vulnerability Severity1	Select the severity rating to disallow. In the Advanced Options section, you can apply these additional configurations: Component Dependency. Build Action. Override Severity. Note: You must create a separate Vulnerability Severity rule for each set of unique inputs. The inputs are Severity, Vulnerable Method, and Component Dependency. The outputs are Build Action, Create Issue, which is automatic and not configurable, and Override Severity of the created issue.		SCA agent-based scans only
Component Licenses	Select the license risk ratings to disallow. In the Advanced Options section, you can apply these additional configurations: Specify the type of component dependency.1 Specify the build action.1 Override severity ratings.1 Disallow non-OSS licenses. Disallow Unrecognized licenses. For components with multiple licenses, require one or all of the licenses to meet the rule requirements. Allow specific licenses that do not meet the other rule requirements. (This configuration only applies to findings from Veracode SCA upload scans.) Disallow specific licenses that do meet the other rule requirements.		Both SCA upload scans and agent-based scans
Component Versions1	Create issues whenever an SCA agent-based scan finds an outdated library. In the Advanced Options section, you can apply these additional configurations: Vulnerable methods Component dependency Build action Override severity		SCA agent-based scans only

¹ Rules and advanced options are available after activating the Unified Policy feature.