Reviewing policy adherence
After scanning an application, part of the extensive report information you receive includes a summary of how well the application adhered to the policies assigned to it. The Policy Control tab on the View Report page lists the names and descriptions of the assigned policies and provides the details of how the application met the requirements of the:
- Veracode Level rule and any custom rules, including any blocklist rules
- Scan requirements
- Remediation levels
From the application overview, select View Report to see the policy controls. You can switch between two reports: the Veracode Report and the PCI Report. The Veracode Report contains details about the flaws identified in the application, policy requirements, findings and recommendations on how to fix the flaws, and mitigations.
The PCI Report contains additional lists of the security standards that the application did not meet. According to the standards specified in the policy (CERT, OWASP, and CWE Top 25), there is a table on the Policy Control tab listing the number of findings that did not pass each category of the failed standards.