Skip to main content

Understanding policies

The Veracode Platform enables an organization to define and enforce a uniform application security policy across all applications in its portfolio. An application security policy includes these elements:

  • The target Veracode Level for the application.

  • Types of findings that should not be in the application. You can restrict findings by severity, CWE category, CWE ID, license risk, CVSS score, or a common standard, including OWASP, OWASP Mobile, CWE Top 25, or PCI.

  • Minimum Veracode security score.

  • Component blocklist for Veracode SCA findings.

  • Required scan types and frequencies.

  • Time period in which findings can impact policy compliance.

  • Grace period within which you must fix any policy-relevant findings.

Policy constraints

You can apply three main constraints to policies: rules, required scans, and remediation grace periods.

Evaluating applications against a policy

When an application is evaluated against a policy, it can receive one of the following four assessments:

Not assessed

The application has not yet had a scan published.


The application has passed all the aspects of the policy, including rules, required scans, and grace period.

Did not pass

The application has not completed all required scans, has not achieved the target Veracode Level, or has one or more policy-relevant findings that have exceeded the grace period to fix.

Conditional pass

The application has one or more flaws related to a policy and these flaws have not yet exceeded the grace period to fix. All sandbox scans also have this status.