Skip to main content

About Veracode built-in policies

Veracode provides built-in policies to help organizations begin evaluating their applications against security standards. There are two sets of built-in policies for Static Analysis and Dynamic Analysis scans, and one built-in policy for SCA agent-based scans.

You can set a built-in policy as the default policy in your policy settings, or you can create custom policies.

Veracode transitional policies

Transitional policies run an initial scan to establish a baseline Security Quality Score for the application. As your teams address findings, the score improves. We recommend using these policies when first adopting Veracode for application security testing.

note

Transitional policies don't support grace periods. Without a grace period, the Security Quality Score is effective as soon as the scan results are published.

The following table lists the transitional policies.

Policy nameTarget VLMinimum scoreScan requirementGrace period
Veracode Transitional Very HighVL190Any (Once)0
Veracode Transitional HighVL180Any (Once)0
Veracode Transitional MediumVL170Any (Once)0
Veracode Transitional LowVL160Any (Once)0
Veracode Transitional Very LowVL150Any (Once)0

Recommended policies assess your applications based on the Veracode Levels. After your teams become familiar with the transitional policies, consider switching to the recommended policies or creating your own custom policies. Veracode applies these recommended policies by default to new application profiles based on the business criticality of the application.

The following table lists the recommended policies.

Policy nameTarget VLFlaw severitiesMinimum scoreScan requirementGrace period
Veracode Recommended Very HighVL5No Medium or above90Static (quarterly)
Manual (annually)
0
Veracode Recommended HighVL4No Medium or above80Static (quarterly)0
Veracode Recommended MediumVL3No High or above70Static (quarterly)0
Veracode Recommended LowVL2No Very High or above60Any (semi-annually)0
Veracode Recommended Very LowVL1  Any (once)0
Veracode Recommended Mobile Policy   Static (quarterly)0

Built-in policy for SCA agent-based scans

By default, Veracode applies the Veracode Recommended SCA Very High policy to SCA agent-based workspaces.

The following table lists the rules in this policy:

Rule typeRequirementAdvanced options
Findings by SeverityLow and above are not allowedNot applicable. This rule does not apply to agent-based scans.
Vulnerability SeverityVery High are not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Vulnerability SeverityHigh are not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Vulnerability SeverityMedium are not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Vulnerability SeverityLow are not allowedVulnerable Methods: Any
Dependency: Any
Build Action: Warning
Override Severity: No
Component LicenseHighDependency: Direct
Build Action: Warning
Override Severity: No
Non-OSS Licenses
Unrecognized Licenses: Allowed
Component with Multiple Licenses: All licenses must meet requirements
Component VersionOutdatedDependency: Direct
Build Action: Warning
Override Severity: No