Skip to main content

Applying Rules to a Policy

When creating a policy, you can add several rules that applications must follow to pass the policy.

You can also apply rules with the Policy API.

RuleDescriptionApplies to Static Analysis, Dynamic Analysis, and Manual Penetration Testing ScansApplies to Software Composition Analysis (SCA) Scans
Minimum Scan ScoreEnter a value between 1 and 100. To pass policy, applications must meet or exceed the specified score value.X
Security StandardSelect one or more of these security standards: PCI, OWASP, OWASP Mobile, CWE Top 25, or CERT. To pass policy, applications must not contain any findings defined in the selected standards.

If you select the Auto-Update OWASP, Auto-Update CWE Top 25, or Auto-Update CERT requirement, Veracode automatically reassesses the application when it implements a new version of that specific standard. If you select the Auto-Update PCI requirement, Veracode automatically reassesses the application when it implements a new version of the OWASP, CWE Top 25, or CERT standards.

CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.
X
Findings with CWE IDSearch in the CWEs table and select one or more CWE IDs. To pass policy, applications must not contain the specified CWE IDs.X
Findings in CWE CategorySelect one or more CWE categories. To pass policy, applications must not contain CWEs in the specified categories.X
Findings within Scan TypeSelect one or more of these scan types: Static Analysis, Dynamic Analysis, or Manual Penetration Testing. To pass policy, applications must not contain findings from one or more of the specified scan types.X
Findings by SeveritySelect the scan type options and select a severity rating. To determine the allowable severity for Veracode SCA vulnerabilities, Veracode recommends you use a Vulnerability CVSS Score rule, which has more configuration options and separate grace periods.To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types.XX
Component Blocklist EnforcementTo pass policy, applications must not contain any findings from your organization blocklist. The list of blocklisted components appears after you add this rule. This rule only applies to findings from Veracode SCA upload scans.X
Vulnerability CVSS ScoreSelect a CVSS score. To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score. This rule only applies to findings from Veracode SCA upload scans. To avoid having conflicting requirements, do not include a Findings by Severity rule for Veracode SCA findings in your policy.X
Component LicensesSelect the license risk ratings to disallow. In the Advanced Options section, you can apply these additional configurations:
  • Disallow non-OSS licenses.
  • For components with multiple licenses, require one or all of the licenses to meet the rule requirements.
  • Allow specific licenses that do not meet the other rule requirements.
  • Disallow specific licenses that do meet the other rule requirements.

This rule only applies to findings from Veracode SCA upload scans.
X