Policy REST API rules properties

You use JSON properties to configure and apply policy rules with the Policy REST API.

Specify rules with the finding_rules and value keys. Each rule must contain the type, scan_type, and value key-value pairs, as shown in this example:

 "finding_rules": [
{
   "type":"MAX_SEVERITY",
   "scan_type":[
      "DYNAMIC",
      "MANUAL",
      "STATIC"
   ],
   "value":"3"
}
]

This table describes the JSON properties you use when creating and updating policy rules.

Name	Description
`FAIL_ALL`	Enter a comma-separated list of one or more of these scan types: `Static Analysis`, `Dynamic Analysis`, `Manual Penetration Testing`. To pass policy, applications must not contain findings from one or more of the specified scan types.
`CWE`	Enter a comma-separated list of CWE IDs.To pass policy, applications must not contain the specified CWE IDs.
`CATEGORY`	Enter a comma-separated list of CWE categories.To pass policy, applications must not contain CWEs in the specified categories.
`MAX_SEVERITY`	Enter a value from `0` to `5` to specify the finding-severity rating.To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types.
`CVSS`	Enter a CVSS score. To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score. This rule only applies to findings from Veracode SCA upload scans.
`CVE`	Enter a comma-separated list of CVE IDs.To pass policy, applications must not contain findings with the specified CVE IDs.
`BLACKLIST`	To pass policy, applications must not contain any findings from your organization blocklist.
`MIN_SCORE`	Enter a value between `1` and `100`.To pass policy, applications must meet or exceed the specified score value.
`SECURITY_STANDARD`	Enter a comma-separated list of one or more of these security standards: `cert` is the CERT Coding Standard `cwe_veracode` is the Auto-Update CWE Top 25 `OWASP` is the OWASP Top Ten 2017 `owasp_mobile` is the OWASP Mobile Top 10 `pci` is the PCI Security Standard `cwe_2019` is the CWE Top 25 2019 `owasp_13` is the OWASP Top 10 2013 `sans` is the CWE/SANS Top 25 2011 CWE Top 25 2019, OWASP Top 10 2013, and CWE/SANS Top 25 2011 are legacy standards. For new policies, Veracode recommends that you use the standards for Latest CWE Top 25 and OWASP Top 10 2017. To pass policy, applications must not contain any findings defined in the specified standards. If you enter `cwe_veracode`, Veracode automatically reassesses the application when it implements a new version of the CWE Top 25 standard. Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.
`LICENSE_RISK`	Enter a comma-separated list of one or more of these license risk ratings: `Low`, `Medium`, `High`, `Non-OSS`, `Unrecognized` To pass policy, applications must not contain any findings with the specified license risk ratings. This rule only applies to findings from Veracode SCA upload scans.

Did you find this helpful?