Built-in security policies
Veracode provides built-in policies to help organizations begin evaluating their applications against security standards. There are two sets of built-in policies for Static Analysis and Dynamic Analysis scans, and one built-in policy for SCA agent-based scans.
You can set a built-in policy as the default policy in your policy settings, or you can create custom policies.
Veracode recommended policies
Recommended policies assess your applications based on their business criticality. Once your teams are familiar with these policies, consider creating your own custom policies.
The following table lists the recommended policies.
| Policy name | Target VL1 | Flaw severities | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|---|
| Veracode Recommended Very High | VL5 | No Medium or above | 90 | Static (quarterly) Manual (annually) | 0 |
| Veracode Recommended High | VL4 | No Medium or above | 80 | Static (quarterly) | 0 |
| Veracode Recommended Medium | VL3 | No High or above | 70 | Static (quarterly) | 0 |
| Veracode Recommended Low | VL2 | No Very High or above | 60 | Any (semi-annually) | 0 |
| Veracode Recommended Very Low | VL1 | Any (once) | 0 | ||
| Veracode Recommended Very High + SCA | VL5+SCA | No Medium or above | 90 | Static (quarterly) Manual (annually) | 0 |
| Veracode Recommended High + SCA | VL4+SCA | No Medium or above | 80 | Static (quarterly) | 0 |
| Veracode Recommended Medium + SCA | VL3+SCA | No High or above | 70 | Static (quarterly) | 0 |
| Veracode Recommended Mobile Policy | Static (quarterly) | 0 | |||
| PCI 3.2.1 | No High or above OWASP Top 10 CWE Top 25 CERT | Any (once) | 0 |
1Refer to Target Veracode Levels for more details.
Veracode transitional policies
Transitional policies are no longer recommended. They were originally created to establish a baseline Security Quality Score for applications without policies.
Transitional policies don't support grace periods. Without a grace period, the Security Quality Score is effective as soon as the scan results are published.
The following table lists the transitional policies.
| Policy name | Target VL | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|
| Veracode Transitional Very High | VL1 | 90 | Any (Once) | 0 |
| Veracode Transitional High | VL1 | 80 | Any (Once) | 0 |
| Veracode Transitional Medium | VL1 | 70 | Any (Once) | 0 |
| Veracode Transitional Low | VL1 | 60 | Any (Once) | 0 |
| Veracode Transitional Very Low | VL1 | 50 | Any (Once) | 0 |
Built-in policy for SCA agent-based scans
By default, Veracode applies the Veracode Recommended SCA Very High policy to SCA agent-based workspaces.
The following table lists the rules in this policy:
| Rule type | Requirement | Advanced options |
|---|---|---|
| Findings by Severity | Low and above are not allowed | Not applicable. This rule does not apply to agent-based scans. |
| Vulnerability Severity | Very High are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | High are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Medium are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Low are not allowed | Vulnerable Methods: Any Dependency: Any Fix Available: Any Build Action: Warning Override Severity: No |
| Component License | High | Dependency: Direct Non-OSS Licenses Unrecognized Licenses: Allowed Component with Multiple Licenses: All licenses must meet requirements Build Action: Warning Override Severity: No |
| Component Version | Outdated | Dependency: Direct Build Action: Warning Override Severity: No |
See Security Policy Constraints for more information about these rules.