You can restrict an application from using vulnerable third-party components by adding Veracode Software Composition Analysis requirements to your policy. You can also enforce that the application must not exceed maximum CVSS scores or license risk and must meet grace period requirements to pass policy.
- You must have the Policy Administrator role to edit policies.
- To include agent-based scan findings in your policy, you must link your project to an application.
If you add an SCA policy rule to a policy already assigned to applications, Veracode
recalculates the policy compliance status of the applications. This change can cause
applications that Veracode did not rescan to change from a passing status to a failing
status.