Include SCA findings in policy

You can restrict an application from using vulnerable third-party components by adding requirements to your policy. You can also enforce that the application must not exceed maximum CVSS scores or license risk and must meet grace period requirements to pass policy.

If you add an SCA policy rule to a policy already assigned to applications, Veracode recalculates their policy compliance status. This change can cause applications that Veracode hasn't rescanned to change from a passing status to a failing status.

Before you begin:

You must have the Policy Administrator role to edit policies.
To include agent-based scan findings in your policy, you must link your project to an application.

To complete this task:

To add SCA findings in your policy, create a custom policy or edit an existing custom policy.
In the Rules section, add one or more of these rules that apply to SCA:
- Component Blocklist Enforcement: automatically prevent an application from passing policy if a scan detects blocklisted components. To see which components are blocklisted, select View Blocklist.
- Component Licenses: automatically prevent an application from passing policy if a scan detects any license that doesn't meet the defined requirements.
- Vulnerability CVSS Score: automatically prevent an application from passing policy if a scan detects any vulnerability with the specified CVSS score or higher.
Set the grace periods you want to apply to the SCA rules.
Finish creating or editing the policy.

Did you find this helpful?