Applying rules to a policy
When creating a policy, you can add several rules that applications must follow to pass the policy.
You can also apply rules with the Policy API.
| Rule | Description | Applies to Static Analysis, Dynamic Analysis, and Manual Penetration Testing scans | Applies to Software Composition Analysis (SCA) scans |
|---|---|---|---|
| Minimum Scan Score | Enter a value between 1 and 100. To pass policy, applications must meet or exceed the specified score value. | X | |
| Security Standard | Select one or more of these security standards: PCI, OWASP, OWASP Mobile, CWE Top 25, or CERT. To pass policy, applications must not contain any findings defined in the selected standards. If you select the Auto-Update OWASP, Auto-Update CWE Top 25, or Auto-Update CERT requirement, Veracode automatically reassesses the application when it implements a new version of that specific standard. If you select the Auto-Update PCI requirement, Veracode automatically reassesses the application when it implements a new version of the OWASP, CWE Top 25, or CERT standards. CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies. | X | |
| Findings with CWE ID | Search in the CWEs table and select one or more CWE IDs. To pass policy, applications must not contain the specified CWE IDs. | X | |
| Findings in CWE Category | Select one or more CWE categories. To pass policy, applications must not contain CWEs in the specified categories. | X | |
| Findings within Scan Type | Select one or more of these scan types: Static Analysis, Dynamic Analysis, or Manual Penetration Testing. To pass policy, applications must not contain findings from one or more of the specified scan types. | X | |
| Findings by Severity | Select the scan type options and select a severity rating. To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types. | X | SCA upload scans only |
| Component Blocklist Enforcement | To pass policy, applications must not contain any findings from your organization blocklist. The list of blocklisted components appears after you add this rule. | SCA upload scans only | |
| Vulnerability CVSS Score | Select a CVSS score. To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score. To avoid having conflicting requirements, do not include a Findings by Severity rule for Veracode SCA findings in your policy. | SCA upload scans only | |
| Vulnerability Severity1 | Select the severity rating to disallow. In the Advanced Options section, you can apply these additional configurations:
Note: You must create a separate Vulnerability Severity rule for each set of unique inputs. The inputs are Severity, Vulnerable Method, and Component Dependency. The outputs are Build Action, Create Issue, which is automatic and not configurable, and Override Severity of the created issue. | SCA agent-based scans only | |
| Component Licenses | Select the license risk ratings to disallow. In the Advanced Options section, you can apply these additional configurations:
| Both SCA upload scans and agent-based scans | |
| Component Versions1 | Create issues whenever an SCA agent-based scan finds an outdated library. In the Advanced Options section, you can apply these additional configurations:
| SCA agent-based scans only |
1 Rules and advanced options are available after activating the Unified Policy feature.