Viewing a project security report
This feature is only available in the Enterprise plan.
Security reports help you understand where you may have issues related to the following security standards:
- OWASP Top 10 (versions 2021 and 2017)
OWASP Top 10 security standards covered by Sonar for version 2021
| Category | Python | JS/TS | Java | C# | C/C++ | PHP |
| A01:Broken Access Control |  | | | | | |
| A02: Cryptographic Failures | | | | | | |
| A03: Injection | | | | | | |
| A04: Insecure Design | | | | | | |
| A05: Security Misconfiguration | | | | | | |
| A06: Vulnerable and Outdated Components | | | | | ||
| A07: Identification and Authentication Failures | | | | | | |
| A08: Software and Data Integrity Failures | | | | | | |
| A09: Security Logging and Monitoring Failures | | | | | | |
| A10: Server-Side Request Forgery | | | | | |
- CWE Top 25 (versions 2023, 2022, and 2021)
CWE Top 25 security standards covered by Sonar for version 2023
| Category | Python | JS/TS | Java | C# | C/C++ | PHP |
| CWE-787: Out-of-bounds Write | | |||||
| CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | | | | | | |
| CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | | | | | | |
| CWE-416: Use After Free | | |||||
| CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | | | | | | |
| CWE-20: Improper Input Validation | | | | | | |
| CWE-125: Out-of-bounds Read | | |||||
| CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | | | | | | |
| CWE-352: Cross-Site Request Forgery (CSRF) | | | | | | |
| CWE-434: Unrestricted Upload of File with Dangerous Type | | |||||
| CWE-862: Missing Authorization | ||||||
| CWE-476: NULL Pointer Dereference | | | | | | |
| CWE-287: Improper Authentication | | |||||
| CWE-190: Integer Overflow or Wraparound | | | | |||
| CWE-502: Deserialization of Untrusted Data | | | | | ||
| CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') | | | | | | |
| CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer | | |||||
| CWE-798: Use of Hard-coded Credentials | | | | | | |
| CWE-918: Server-Side Request Forgery (SSRF) | | | | | | |
| CWE-306: Missing Authentication for Critical Function | ||||||
| CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | ||||||
| CWE-269: Improper Privilege Management | | | ||||
| CWE-94: Improper Control of Generation of Code ('Code Injection') | | | | | | |
| CWE-863: Incorrect Authorization | ||||||
| CWE-276: Incorrect Default Permissions |
Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see the Managing your enterprise page.
You can view the security report of any branch (main, long-lived, or short-lived) of your project. For a given standard, it displays the number of raised security issues and hotspots by security category. Only the security rules activated in the project’s quality profiles are taken into account.
Make sure the relevant security rules are activated in your quality profiles; otherwise, your security reports will not be reliable (see Checking the security rules included in a project’s quality profile below). For instance, if no rule corresponding to a given OWASP category is activated in your quality profile, you won't get issues or hotspots linked to that specific category in the OWASP report.
Viewing the security reports of a project branch
- Retrieve the project.
- Select the project branch you want to view:
- For the main branch: In the left-side panel, select Main Branch.
- For another branch: In the left-side panel, select Branches, and, on the Branches page, select the long-lived or short-lived branch.
- Go to Security Reports.
- Select the security standard. The grid displays the number of raised issues and hotspots by security category.
- Select a number in the grid to view the corresponding raised security issues or hotspots.
Checking the security rules included in a project’s quality profile
1. Retrieve the project and go to Information.
2. In About This Project > Quality profiles used, select a quality profile. The quality profile page opens.
3. In the quality profile, select the active security rules.
4. In the left-side panel, navigate to the Security Category filter criteria and select a standard to view the categories covered by SonarQube Cloud analysis.
Was this page helpful?
© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.
