Include SCA Findings in Policy

Veracode Software Composition Analysis

You can restrict an application from using vulnerable third-party components by adding Veracode Software Composition Analysis requirements to your policy. You can also enforce that the application must not exceed maximum CVSS scores or license risk and must meet grace period requirements to pass policy.

  1. To add SCA findings in your policy, create a new policy or edit an existing policy.
  2. In the Rules section, add one or more of these rules that apply to SCA:
    Component Blocklist Enforcement
    Automatically prevent an application from passing policy if a scan detects blocklisted components. Click View Blocklist to see which components are blocklisted.
    Component Licenses
    Automatically prevent an application from passing policy if a scan detects any license that does meet the defined requirements.
    Vulnerability CVSS Score
    Automatically prevent an application from passing policy if a scan detects any vulnerability with the specified CVSS score or higher.


  3. Set the grace periods you want to apply to the SCA rules.
  4. Finish creating or editing the policy.
If you add an SCA policy rule to a policy already assigned to applications, Veracode recalculates the policy compliance status of the applications. This change can cause applications that Veracode did not rescan to change from a passing status to a failing status.