Understanding Policy Notifications

Application Security Policies

The Veracode Platform can send notifications automatically when certain policy related events occur. Whether the policy notifications are sent depends on the notification settings for the organization.

Note: The Veracode Platform does not send notifications that contain sensitive information about your application, including the policy status, Veracode Level, or any other information about the application that could be used to identify a weakness in your application or your organization.

Policy related notifications are sent automatically to the team assigned to the application; to any users with the Security Lead role; and to the Business Owner email address identified on the application profile.

The following notifications can be sent from the Veracode Platform:

Policy Change

This notification is sent when the policy for an application has changed, either because a new policy has been applied to the application, or because a policy already assigned to the application has been updated. The notification is sent immediately when the new policy is assigned or when the existing policy is updated.

Upcoming Scan Required

This notification is sent when a required scan is due in approximately 30 days, based on the schedule defined in the policy for the application. The Veracode Platform checks once a day during the night to send any Upcoming Scan Required notifications.

Grace Period Expiring Soon

This notification is sent when a flaw will go out of the grace period set in the policy. The notification is sent a certain number of days ahead of the actual expiration date, on a sliding scale ranging from a day ahead to 30 days ahead based on the length of the grace period. The Veracode Platform checks once a day during the night to send any Upcoming Scan Required notifications.