Create a Policy

Application Security Policies

Policies must include one or more of the following types of requirements to which an application must adhere: rules, evaluation timeframes, scan requirements, and remediation grace periods. You define the requirements while creating a new policy.

You must have the Policy Administrator role to create policies.

You can also create a policy with the Policy API.

To create a new policy:

  1. Go to Policies > Policies at the top of the Veracode Platform.
  2. Click Add New Policy.


  3. Enter the name of the new policy. This policy name appears in the following locations:
    • Applications list
    • Application profile
    • Reports
    • Results from the Results and Archer APIs
  4. Enter a detailed description of the policy. This policy description appears in the application scan results report.
  5. Click the Use as Vendor Policy switch if you want to use this policy to calculate scan results that vendors share with you.
  6. Click Next.
  7. Add the rules, evaluation timeframe, grace periods, and custom severities that you want to include in the policy.


  8. Click Next.
  9. Select the scan requirement frequency for either all scan types or specific scan types.
  10. Click Finish.
    After you successfully create the policy, the Veracode Platform displays a confirmation message.