About Veracode built-in policies
Veracode provides built-in policies to help organizations begin evaluating their applications against security standards. There are two sets of built-in policies for Static Analysis and Dynamic Analysis scans, and one built-in policy for SCA agent-based scans.
You can set a built-in policy as the default policy in your policy settings, or you can create custom policies.
Veracode transitional policies
Transitional policies run an initial scan to establish a baseline Security Quality Score for the application. As your teams address findings, the score improves. We recommend using these policies when first adopting Veracode for application security testing.
Transitional policies don't support grace periods. Without a grace period, the Security Quality Score is effective as soon as the scan results are published.
The following table lists the transitional policies.
| Policy name | Target VL | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|
| Veracode Transitional Very High | VL1 | 90 | Any (Once) | 0 |
| Veracode Transitional High | VL1 | 80 | Any (Once) | 0 |
| Veracode Transitional Medium | VL1 | 70 | Any (Once) | 0 |
| Veracode Transitional Low | VL1 | 60 | Any (Once) | 0 |
| Veracode Transitional Very Low | VL1 | 50 | Any (Once) | 0 |
Veracode recommended policies
Recommended policies assess your applications based on the Veracode Levels. After your teams become familiar with the transitional policies, consider switching to the recommended policies or creating your own custom policies. Veracode applies these recommended policies by default to new application profiles based on the business criticality of the application.
The following table lists the recommended policies.
| Policy name | Target VL | Flaw severities | Minimum score | Scan requirement | Grace period |
|---|---|---|---|---|---|
| Veracode Recommended Very High | VL5 | No Medium or above | 90 | Static (quarterly) Manual (annually) | 0 |
| Veracode Recommended High | VL4 | No Medium or above | 80 | Static (quarterly) | 0 |
| Veracode Recommended Medium | VL3 | No High or above | 70 | Static (quarterly) | 0 |
| Veracode Recommended Low | VL2 | No Very High or above | 60 | Any (semi-annually) | 0 |
| Veracode Recommended Very Low | VL1 | Any (once) | 0 | ||
| Veracode Recommended Mobile Policy | Static (quarterly) | 0 |
Built-in policy for SCA agent-based scans
By default, Veracode applies the Veracode Recommended SCA Very High policy to SCA agent-based workspaces.
The following table lists the rules in this policy:
| Rule type | Requirement | Advanced options |
|---|---|---|
| Findings by Severity | Low and above are not allowed | Not applicable. This rule does not apply to agent-based scans. |
| Vulnerability Severity | Very High are not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | High are not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Medium are not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Vulnerability Severity | Low are not allowed | Vulnerable Methods: Any Dependency: Any Build Action: Warning Override Severity: No |
| Component License | High | Dependency: Direct Build Action: Warning Override Severity: No Non-OSS Licenses Unrecognized Licenses: Allowed Component with Multiple Licenses: All licenses must meet requirements |
| Component Version | Outdated | Dependency: Direct Build Action: Warning Override Severity: No |