# Viewing portfolio security reports

This feature is only available in the [Enterprise plan](https://www.sonarsource.com/plans-and-pricing/#sonarqube-cloud-features).

{% hint style="info" %}
Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see [managing-enterprise](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-enterprise "mention").
{% endhint %}

## Overview <a href="#overview" id="overview"></a>

Portfolio security reports provide an aggregated view of your organization’s security across multiple projects. They are aimed at enterprise security teams, compliance and audit teams, and IT administrators who manage multiple projects and require an in-depth view of their enterprise security status.

* [OWASP Top 10](https://owasp.org/Top10/) (2025, 2021, 2017)

<details>

<summary>OWASP Top 10 security standards covered by Sonar for version 2025</summary>

<table><thead><tr><th width="207.765625">Category</th><th width="87.17962646484375">Python</th><th width="92.93603515625">JS/TS</th><th width="78.802490234375">Java</th><th width="78.2628173828125">C#</th><th width="81.49072265625">C/C++</th><th width="80.1341552734375">PHP</th><th width="86.203125">Kotlin</th><th>Go</th></tr></thead><tbody><tr><td>A01:Broken Access Control</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A02: Security Misconfiguration</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A03: Software Supply Chain Failures</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td></td><td></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A04: Cryptographic Failures</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A05: Injection</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A06: Insecure design</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A07: Authentication Failures</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A08: Software and Data Integrity Failures</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>A09: Logging and Alerting Failures</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td></td></tr><tr><td>A10: Mishandling of Exceptional Conditions</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr></tbody></table>

</details>

* [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)

<details>

<summary>OWASP Mobile Top 10 security standards covered by Sonar for version 2024</summary>

<table><thead><tr><th width="206.4246826171875">Standard</th><th>Java</th><th>Kotlin</th><th>Dart</th><th>Swift</th></tr></thead><tbody><tr><td>M1: Improper Credential Usage</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M2: Inadequate Supply Chain Security</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M3: Insecure Authentication/Authorization</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M4: Insufficient Input/Output Validation</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M5: Insecure Communication</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M6: Inadequate Privacy Controls</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M7: Insufficient Binary Protections</td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td></td><td></td></tr><tr><td>M8: Security Misconfiguration</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>M9: Insecure Data Storage</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td></td></tr><tr><td>M10: Insufficient Cryptography</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr></tbody></table>

</details>

* [CWE Top 25](https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html) (2024, 2023, 2022, and 2021)

<details>

<summary>CWE Top 25 security standards covered by Sonar for version 2024</summary>

<table><thead><tr><th width="210.5675048828125">Category</th><th width="83.29473876953125">Python</th><th width="83.7493896484375">JS/TS</th><th width="86.885009765625">Java</th><th width="71.547607421875">C#</th><th width="82.7052001953125">C/C++</th><th width="78.1668701171875">PHP</th><th>Kotlin</th></tr></thead><tbody><tr><td>CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-787 Out-of-bounds Write</td><td><br></td><td><br></td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td></tr><tr><td>CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-352 Cross-Site Request Forgery (CSRF)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td></tr><tr><td>CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-125 Out-of-bounds Read</td><td><br></td><td><br></td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td></tr><tr><td>CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-416 Use After Free</td><td><br></td><td><br></td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td></tr><tr><td>CWE-862 Missing Authorization</td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td></tr><tr><td>CWE-434 Unrestricted Upload of File with Dangerous Type</td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td></tr><tr><td>CWE-94 Improper Control of Generation of Code (‘Code Injection’)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-20 Improper Input Validation</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td></tr><tr><td>CWE-287 Improper Authentication</td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-269 Improper Privilege Management</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td></tr><tr><td>CWE-502 Deserialization of Untrusted Data</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-200 Exposure of Sensitive Information to an Unauthorized Actor</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-863 Incorrect Authorization</td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td></tr><tr><td>CWE-918 Server-Side Request Forgery (SSRF)</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer</td><td><br></td><td><br></td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td></tr><tr><td>CWE-476 NULL Pointer Dereference</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td></tr><tr><td>CWE-798 Use of Hard-coded Credentials</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-190 Integer Overflow or Wraparound</td><td><br></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><br></td></tr><tr><td>CWE-400 Uncontrolled Resource Consumption</td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><br></td><td><img src="broken-reference" alt="Checkmark icon"></td><td><img src="broken-reference" alt="Checkmark icon"></td></tr><tr><td>CWE-306 Missing Authentication for Critical Function</td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td><td><br></td></tr></tbody></table>

</details>

* [CASA](https://appdefensealliance.dev/casa)
* [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) (5.0 and 4.0, levels 1, 2, 3)
* [OWASP MASVS](https://mas.owasp.org/MASVS/)
* [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) (2025)
* [PCI DSS](https://www.pcisecuritystandards.org/) (4.0 and 3.2)
* [STIG ASD](https://www.cyber.mil/stigs/) (6 and 5)

If you have access to [SonarQube Advanced Security](https://github.com/SonarSource/sonarqube-documentation/blob/main/content-output/cloud/default/advanced-security/introduction/README.md), risks from your third-party dependencies will also be included in relevant security reports. If you have access to [SonarQube Advanced Security](https://github.com/SonarSource/sonarqube-documentation/blob/main/content-output/cloud/default/advanced-security/introduction/README.md), risks from your third-party dependencies will also be included in revelant security reports.

{% hint style="info" %}
To ensure reliable security reports, the relevant security rules must be activated in your portfolio’s project quality profiles. For instance, if no rule corresponding to a given OWASP category is activated in your quality profile, you won’t get Security issues or Security Hotspots linked to that specific category in the OWASP report. See [#checking-security-rules](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/project-security-reports#checking-security-rules "mention") for more information.
{% endhint %}

## Retrieving portfolio security reports <a href="#retrieving-security-report" id="retrieving-security-report"></a>

1. Retrieve your portfolio. See [viewing-portfolios](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/viewing-portfolios "mention") for more information.
2. Go to **Security Reports** to open the report.

The portfolio report displays:

1. Select a security standard to filter the results.
2. Your **Security reports overview** is at the top of the page which includes your **Portfolio overall Security rating** and **Portfolio overall Security Review** rating for the selected standard.
3. Review the total number of **Security** issues and **Security Hotspots** that need to be addressed for your selected Security standard. The report results are generated based on relevant active security rules for projects in your portfolio.
4. A list of Categories that contain Security issues and Security Hotspots fitting each category are sorted by rating. Select a **Category** row from the table to open a category specific report. Note that a single Security issue or Security Hotspot may show up in more than one category.

<figure><img src="https://2223713658-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB4UT2GNiZKjtxFtcFAL7%2Fuploads%2FNkT6jUYoMWE9HgmcXtVK%2Fportfolio-security-reports.png?alt=media&#x26;token=d46977e3-2e29-4a0f-96a8-683d8ffcea08" alt="Breakdown of the portfolio security reports page"><figcaption></figcaption></figure>

## Related pages <a href="#related-pages" id="related-pages"></a>

* [introduction](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/introduction "mention") to Viewing the enterprise reports
* [viewing-portfolios](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/viewing-portfolios "mention")
* [administering-portfolios](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/administering-portfolios "mention")
* [viewing-portfolio-pdf-reports](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/viewing-portfolio-pdf-reports "mention")