Viewing project security reports
SonarQube CloSecurity reports give you the compliance of a project with regard to the most popular security standards (PCI DSS, OWASP ASVS, OWASP Top 10, CWE Top 25).
This feature is only available in the Enterprise plan.
Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see Managing your enterprise.
Security reports help you understand where you may have issues related to the following security standards:
OWASP Top 10 (versions 2021 and 2017)
OWASP Top 10 security standards covered by Sonar for version 2021
Category
Python
JS/TS
Java
C#
C/C++
PHP
Kotlin
A01:Broken Access Control
A02: Cryptographic Failures
A03: Injection
A04: Insecure Design
A05: Security Misconfiguration
A06: Vulnerable and Outdated Components
A07: Identification and Authentication Failures
A08: Software and Data Integrity Failures
A09: Security Logging and Monitoring Failures
A10: Server-Side Request Forgery
OWASP Mobile Top 10 security standards covered by Sonar for version 2024
Standard
Java
Kotlin
Dart
Swift
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography
CWE Top 25 (versions 2024, 2023, 2022, and 2021)
CWE Top 25 security standards covered by Sonar for version 2024
Category
Python
JS/TS
Java
C#
C/C++
PHP
Kotlin
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-787 Out-of-bounds Write
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-125 Out-of-bounds Read
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-416 Use After Free
CWE-862 Missing Authorization
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CWE-20 Improper Input Validation
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-287 Improper Authentication
CWE-269 Improper Privilege Management
CWE-502 Deserialization of Untrusted Data
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization
CWE-918 Server-Side Request Forgery (SSRF)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-476 NULL Pointer Dereference
CWE-798 Use of Hard-coded Credentials
CWE-190 Integer Overflow or Wraparound
CWE-400 Uncontrolled Resource Consumption
CWE-306 Missing Authentication for Critical Function
PCI DSS (versions 4.0 and 3.2.1)
You can view the security report of any branch: main, long-lived, or short-lived of your project. For a given standard, it displays the number of raised security issues and hotspots by security category. Only the security rules activated in the project’s quality profiles are taken into account. See Checking the security rules included in a project’s quality profile for more details.
Viewing the security reports of a project branch
Retrieve a project by going to My Projects in the top navigation bar and selecting your project.
From the left-side panel of the project page, select a branch for which you want to view the security report. You can select:
Main Branch
Branches > select your branch
Select the Security Reports tab.
Select the security standards you want to review. The grid displays the number of raised issues and hotspots by security category.
View Project overall Security rating and Project overall Security Review rating in the Security reports overview section.
Select the number in the Security or Security Hotspots columns to open a view listing the issues with more detail. From there, you can remedy review and mange the issue with more precision.
Select Download Security report (PDF) for a PDF version of the report.
Checking the security rules included in a project’s quality profile
Retrieve a project by going to My Projects in the top navigation bar and selecting your project, and go to the Information page.
In About This Project, select a quality profile to open it.
Once on the Quality Profiles page, select the active Security rules from the Software qualities table’s Active column. The Rules page will open.
(image below) In the left-side panel of the Rules page, scroll to the Security Category and filter the results by specific standards to view the security categories covered by code review and analysis.
Downloading a project security PDF report for a branch
As a member of a security or compliance team, you can generate and download project security reports in a PDF format for any given branch.
Retrieve the project by going to My Projects in the top navigation bar and selecting your project.
From the left-side panel of the project page, select a branch for which you want to view the security report. You can select:
Main Branch
Branches > Select your branch
Click on the Security Reports tab.
In the top right corner of the page click Download Security report (PDF).
Download options
The following download options are available:
Default: Includes Sonar, OWASP top 10 2021 and CWE TOP 25 2024 security standards.
Custom: Choose from a list of all security standards used by SonarQube.
Contents of the PDF Report
A Security Overview page that includes:
Project and branch information
The number of open Security issues, Security Hotspots, and Accepted Security issues on new code and overall code.
Overall code security ratings for Security issues and Security Hotspots, including the percentage of reviewed Security Hotspots
A report for a given standard that includes:
A list of categories for Security issues and Security Hotspots
Number of issues to address and their relevant rating per category
Breakdown by severity (Blocker, High, Medium, Low, Info)
Hotspots that need review
Related pages
Last updated
Was this helpful?