Policy API Rules Properties

Veracode APIs

You use JSON properties to configure and apply policy rules with the Veracode Policy API.

This table describes the JSON properties you use when creating and updating policy rules using the Policy API.
You specify rules inside the finding_rules property. Each rule must contain the type, scan_type, and value properties, as shown in this example:
 "finding_rules": [
          {
             "type": "MAX_SEVERITY",
             "scan_type": [
                  "DYNAMIC",
                  "MANUAL",
                  "STATIC"
             ],
             "value": "3"
Property Description
FAIL_ALL
Enter a comma-separated list of one or more of these scan types:
  • Static Analysis
  • Dynamic Analysis
  • Manual Penetration Testing
To pass policy, applications must not contain findings from one or more of the specified scan types.
CWE Enter a comma-separated list of CWE IDs.

To pass policy, applications must not contain the specified CWE IDs.

CATEGORY Enter a comma-separated list of CWE categories.

To pass policy, applications must not contain CWEs in the specified categories.

MAX_SEVERITY Enter a value from 0 to 5 to specify the finding-severity rating.

To pass policy, applications must not contain any findings that meet or exceed the specified severity rating for the specified scan types.

CVSS Enter a CVSS score.

To pass policy, applications must not contain any findings that meet or exceed the specified CVSS score.

This rule only applies to findings from Veracode SCA upload scans.

CVE Enter a comma-separated list of CVE IDs.

To pass policy, applications must not contain findings with the specified CVE IDs.

BLACKLIST To pass policy, applications must not contain any findings from your organization blocklist.
MIN_SCORE Enter a value between 1 and 100.

To pass policy, applications must meet or exceed the specified score value.

SECURITY_STANDARD Enter a comma-separated list of one or more of these security standards:
  • cert is the CERT Coding Standard
  • cwe_veracode is the Auto-Update CWE Top 25
  • OWASP is the OWASP Top Ten 2017
  • owasp_mobile is the OWASP Mobile Top 10
  • pci is the PCI Security Standard
  • cwe_2019 is the CWE Top 25 2019
  • owasp_13 is the OWASP Top 10 2013
  • sans is the CWE/SANS Top 25 2011
CWE Top 25 2019, OWASP Top 10 2013, and CWE/SANS Top 25 2011 are legacy standards. For new policies, Veracode recommends that you use the standards for Latest CWE Top 25 and OWASP Top 10 2017.

To pass policy, applications must not contain any findings defined in the specified standards.

If you enter cwe_veracode, Veracode automatically reassesses the application when it implements a new version of the CWE Top 25 standard.

Appendix: CWEs That Violate Security Standards provides the full list of CWEs that can prevent an application from passing security standard rules in policies.

LICENSE_RISK Enter a comma-separated list of one or more of these license risk ratings:
  • Low
  • Medium
  • High
  • Non-OSS
  • Unrecognized

To pass policy, applications must not contain any findings with the specified license risk ratings.

This rule only applies to findings from Veracode SCA upload scans.