Customizing Severities

Application Security Policies

Veracode assigns a severity level to CWEs that scans discover. It is possible to customize the severity levels by giving them a higher or lower severity than the Veracode standard. Custom severities apply immediately, changing the results of the latest scan for all applications that are assigned this policy.

Users with the Policy Administrator role can change the standard Veracode severity levels on the Policies page. To add custom severities to a policy:
  1. Click Policies > Policies at the top of the Veracode Platform.
  2. Select the policy you want to change.
  3. In the Custom Severities section at the bottom of the Edit Policies page, select Use Custom Severities.
  4. Click Add Custom Severity.

  5. Select the CWE whose severity level you want to change.
  6. From the Custom Severity dropdown menu, select the new severity level.

  7. Click Save.
Note: Existing applications assigned to this policy will automatically have custom severity additions applied to the latest static and dynamic scan results. This change may impact policy compliance status for these affected applications.

The severities you have customized now appear in the table.

You cannot deselect Use Custom Severities until you delete each individual severity in this table by clicking the X icon to the left of the CWE. Only users with the Policy Administrator role can see the custom severities. Custom severities do not apply to flaws discovered during manual penetration testing.