You can restrict an application from using vulnerable third-party components by adding Veracode Software Composition Analysis requirements to your policy. You can also enforce that the application must not exceed maximum CVSS scores or license risk and must meet grace period requirements to pass policy.
- You must have the Policy Administrator role to edit policies.
- To include agent-based scan findings in your policy, you must link your project to an application.
-
In the Rules section, add one or more of these rules that apply to SCA:
- Component Blocklist Enforcement
- Automatically prevent an application from passing policy if a scan detects blocklisted components. Click View Blocklist to see which components are blocklisted.
- Component Licenses
- Automatically prevent an application from passing policy if a scan detects any license that does meet the defined requirements.
- Vulnerability CVSS Score
- Automatically prevent an application from passing policy if a scan detects any vulnerability with the specified CVSS score or higher.
If you add an SCA policy rule to a policy already assigned to applications, Veracode
recalculates the policy compliance status of the applications. This change can cause
applications that Veracode did not rescan to change from a passing status to a failing
status.