Applying Rules to a Policy

Application Security Policies

When creating a policy, you can add several rules that applications must follow to pass the policy.

You can also apply rules with the Policy API.

These rules apply to Static Analysis, Dynamic Analysis, and Manual Penetration Testing scans:
These rules apply to Veracode Software Composition Analysis (SCA) scans:


Minimum Scan Score

Enter a value between 1 and 100. To pass policy, applications must meet or exceed the specified score value.

Security Standard

Select one or more of these security standards: PCI, OWASP, OWASP Mobile, CWE Top 25, or CERT. To pass policy, applications must not contain any findings defined in the selected standards.

If you select the Auto-Update OWASP, Auto-Update CWE Top 25, or Auto-Update CERT requirement, Veracode automatically reassesses the application when it implements a new version of that specific standard. If you select the Auto-Update PCI requirement, Veracode automatically reassesses the application when it implements a new version of the OWASP, CWE Top 25, or CERT standards.

Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.

Findings with CWE ID

Search in the CWEs table and select one or more CWE IDs. To pass policy, applications must not contain the specified CWE IDs.

Findings in CWE Category

Select one or more CWE categories. To pass policy, applications must not contain CWEs in the specified categories.

Findings within Scan Type

Select one or more of these scan types: Static Analysis, Dynamic Analysis, or Manual Penetration Testing. To pass policy, applications must not contain findings from one or more of the specified scan types.

Findings by Severity

Select the scan type options and select a severity rating. To determine the allowable severity for Veracode SCA vulnerabilities, Veracode recommends you use a Vulnerability CVSS Score rule, which has more configuration options and separate grace periods.

To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types.

Component Blocklist Enforcement

To pass policy, applications must not contain any findings from your organization blocklist. The list of blocklisted components appears after you add this rule. This rule only applies to findings from Veracode SCA upload scans.

Vulnerability CVSS Score

Select a CVSS score. To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score. This rule only applies to findings from Veracode SCA upload scans. To avoid having conflicting requirements, do not include a Findings by Severity rule for Veracode SCA findings in your policy.

Component Licenses

Select the license risk ratings to disallow. In the Advanced Options section, you can apply these additional configurations:
  • Disallow non-OSS licenses.
  • For components with multiple licenses, require one or all of the licenses to meet the rule requirements.
  • Allow specific licenses that do not meet the other rule requirements.
  • Disallow specific licenses that do meet the other rule requirements.

This rule only applies to findings from Veracode SCA upload scans.