Skip to main content

Reviewing the Veracode default policies

Veracode provides default policies to make it easier for organizations to begin measuring their applications against policies. There are these two sets of default policies:

  • Veracode Transitional Policies: the default policies for all organizations and which are designed to set a minimum level for those initially adopting Veracode for application security programs.

  • Veracode Recommended Policies: the best practice recommendation based on Veracode Levels.

Veracode Transitional Policies

Veracode Transitional Policies are assigned to all of your applications by default and are the default policies for newly created applications. The policies emphasize performing an initial scan to establish the baseline quality of an application, and use the Veracode score (numeric score 1-100) as a progressive quality gate.

note

The transitional policies do not take advantage of the remediation grace period feature. With no grace period, the transitional policy functions like the existing Veracode rating system, where the score is effective as soon as the application is published.

Policy nameTarget VLMinimum scoreScan requirementGrace period
Veracode Transitional Very HighVL190Any (Once)0
Veracode Transitional HighVL180Any (Once)0
Veracode Transitional MediumVL170Any (Once)0
Veracode Transitional LowVL160Any (Once)0
Veracode Transitional Very LowVL150Any (Once)0

Veracode Recommended Policies are based on the Veracode Level definitions. They are an option when you are ready to move beyond the initial requirements set by the Veracode Transitional Policies.

Policy nameTarget VLFlaw severitiesMinimum scoreScan requirementGrace period
Veracode Recommended Very HighVL5No Medium or above90Static (quarterly)
Manual (annually)
0
Veracode Recommended HighVL4No Medium or above80Static (quarterly)0
Veracode Recommended MediumVL3No High or above70Static (quarterly)0
Veracode Recommended LowVL2No Very High or above60Any (semi-annually)0
Veracode Recommended Very LowVL1  Any (once)0
Veracode Recommended Mobile Policy   Static (quarterly)0

Default policy for SCA agent-based scans

By default, the Veracode Recommended SCA Very High policy is assigned to workspaces used for SCA agent-based scanning. You can change the default policy in your policy settings. The following table lists the rules included in this policy:

Rule typeRequirementAdvanced options
Component BlocklistEnforcedn/a. This rule does not apply to agent-based scans.
Findings by SeverityLow and above not allowedn/a. This rule does not apply to agent-based scans.
Vulnerability SeverityVery High not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Vulnerability SeverityHigh not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Vulnerability SeverityMedium not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Vulnerability SeverityLow not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Component LicenseHighDependency: Direct
Build Action: Warning
Override Severity: No
Non-OSS Licenses
Unrecognized Licenses: Allowed
Component with Multiple Licenses: All licenses must meet requirements
Component VersionOutdatedDependency: Direct
Build Action: Warning
Override Severity: No