Start FreeLog in
SonarQube Cloud | Getting started with Enterprise | Viewing the enterprise reports | Viewing project security reports

Viewing a project security report

On this page

This feature is only available in the Enterprise plan.

Security reports help you understand where you may have issues related to the following security standards:

OWASP Top 10 security standards covered by Sonar for version 2021
CategoryPythonJS/TSJavaC#C/C++PHP
A01:Broken Access Control
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A02: Cryptographic Failures 
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A03: Injection
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
A04: Insecure Design
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A05: Security Misconfiguration
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A06: Vulnerable and Outdated Components

Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A07: Identification and Authentication Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
A08: Software and Data Integrity Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
A09: Security Logging and Monitoring Failures
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
A10: Server-Side Request Forgery
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE Top 25 security standards covered by Sonar for version 2023
CategoryPythonJS/TSJavaC#C/C++PHP
CWE-787: Out-of-bounds Write



Checkmark icon

CWE-79:  Improper Neutralization of Input During
Web Page Generation ('Cross-site Scripting')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-89: Improper Neutralization of Special
Elements used in an SQL Command ('SQL Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-416: Use After Free



Checkmark icon

CWE-78: Improper Neutralization of Special
Elements used in an OS Command
('OS Command Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-20: Improper Input Validation
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-125: Out-of-bounds Read



Checkmark icon

CWE-22: Improper Limitation of a Pathname
to a Restricted Directory ('Path Traversal')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-352: Cross-Site Request Forgery (CSRF)
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-434: Unrestricted Upload of File with
Dangerous Type

Checkmark icon




CWE-862: Missing Authorization





CWE-476: NULL Pointer Dereference
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

CWE-287: Improper Authentication

Checkmark icon



CWE-190: Integer Overflow or Wraparound

Checkmark icon
Checkmark icon
Checkmark icon

CWE-502: Deserialization of Untrusted Data
Checkmark icon

Checkmark icon
Checkmark icon

Checkmark icon
CWE-77: Improper Neutralization of Special
Elements used in a Command ('Command Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-119: Improper Restriction of Operations
within the Bounds of a Memory Buffer




Checkmark icon

CWE-798: Use of Hard-coded Credentials
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon
CWE-918: Server-Side Request Forgery (SSRF)
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-306: Missing Authentication for Critical Function





CWE-362: Concurrent Execution using Shared
Resource with Improper Synchronization
('Race Condition')






CWE-269: Improper Privilege Management
Checkmark icon
Checkmark icon




CWE-94: Improper Control of Generation of
Code ('Code Injection')
Checkmark icon
Checkmark icon
Checkmark icon
Checkmark icon

Checkmark icon
CWE-863: Incorrect Authorization





CWE-276: Incorrect Default Permissions





You can view the security report of any branch (main, long-lived, or short-lived) of your project. For a given standard, it displays the number of raised security issues and hotspots by security category. Only the security rules activated in the project’s quality profiles are taken into account.

Viewing the security reports of a project branch

  1. Retrieve the project.
  2. Select the project branch you want to view:
    • For the main branch: In the left-side panel, select Main Branch.
    • For another branch: In the left-side panel, select Branches, and, on the Branches page, select the long-lived or short-lived branch.
  3. Go to Security Reports.
  4. Select the security standard. The grid displays the number of raised issues and hotspots by security category.
  5. Select a number in the grid to view the corresponding raised security issues or hotspots.

Checking the security rules included in a project’s quality profile

1. Retrieve the project and go to Information.

2. In About This Project > Quality profiles used, select a quality profile. The quality profile page opens.

3. In the quality profile, select the active security rules. 

4. In the left-side panel, navigate to the Security Category filter criteria and select a standard to view the categories covered by SonarQube Cloud analysis.


Was this page helpful?

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License