The Veracode Platform enables an organization to define and enforce a uniform application security policy across all applications in its portfolio. An application security policy includes these elements:
- The target Veracode Level for the application.
- Types of findings that should not be in the application. You can restrict findings by severity, CWE category, CWE ID, license risk, CVSS score, or a common standard, including OWASP, OWASP Mobile, CWE Top 25, or PCI.
- Minimum Veracode security score.
- Component blocklist for Veracode SCA findings.
- Required scan types and frequencies.
- Time period in which findings can impact policy compliance.
- Grace period within which you must fix any policy-relevant findings.
Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.
Evaluating applications against a policy
When an application is evaluated against a policy, it can receive one of the following four assessments:
- Not assessed
- The application has not yet had a scan published.
- The application has passed all the aspects of the policy, including rules, required scans, and grace period.
- Did not pass
- The application has not completed all required scans, has not achieved the target Veracode Level, or has one or more policy-relevant findings that have exceeded the grace period to fix.
- Conditional pass
- The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.