Security reports
On this page
Security reports are available in Enterprise plan.
What do security reports show?
Security reports quickly give you the big picture of your application's security. They allow you to know where you stand compared to the most common security mistakes made in the past:
- PCI DSS (versions 4.0 and 3.2.1)
- OWASP Top 10 (versions 2021 and 2017)
- CWE Top 25 (versions 2023, 2022, and 2021)
- CASA
- STIG
They represent the bare minimum to comply with for anyone putting in place a secure development lifecycle.
The SANS Top 25 report is based on outdated statistics and should no longer be used. Instead, we recommend using the CWE Top 25 reports.
Security reports rely on the rules activated in your quality profile to raise security issues. If there are no rules corresponding to a given OWASP category activated in your quality profile, you won't get issues linked to that specific category and the rating displayed will be A. That doesn't mean you are safe for that category, it implies that you need to activate more rules (assuming some exist) in your quality profile.
Was this page helpful?
© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
