# Viewing project security reports This feature is only available in the [Enterprise plan](https://www.sonarsource.com/plans-and-pricing/#sonarqube-cloud-features). {% hint style="info" %} Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see [Managing your enterprise](/sonarqube-cloud/administering-sonarcloud/managing-enterprise.md). {% endhint %} Security reports help you understand where you may have issues related to the following security standards: * [OWASP Top 10](https://owasp.org/Top10/) (2025, 2021, 2017)

OWASP Top 10 security standards covered by Sonar for version 2025

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin	Go
A01:Broken Access Control
A02: Security Misconfiguration
A03: Software Supply Chain Failures
A04: Cryptographic Failures
A05: Injection
A06: Insecure design
A07: Authentication Failures
A08: Software and Data Integrity Failures
A09: Logging and Alerting Failures
A10: Mishandling of Exceptional Conditions

* [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard	Java	Kotlin	Dart	Swift
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography

* [CWE Top 25](https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html) (2024, 2023, 2022, and 2021)

CWE Top 25 security standards covered by Sonar for version 2024

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-787 Out-of-bounds Write
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-125 Out-of-bounds Read
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-416 Use After Free
CWE-862 Missing Authorization
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CWE-20 Improper Input Validation
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-287 Improper Authentication
CWE-269 Improper Privilege Management
CWE-502 Deserialization of Untrusted Data
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization
CWE-918 Server-Side Request Forgery (SSRF)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-476 NULL Pointer Dereference
CWE-798 Use of Hard-coded Credentials
CWE-190 Integer Overflow or Wraparound
CWE-400 Uncontrolled Resource Consumption
CWE-306 Missing Authentication for Critical Function

* [CASA](https://appdefensealliance.dev/casa) * [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) (5.0 and 4.0, levels 1, 2, 3) * [OWASP MASVS](https://mas.owasp.org/MASVS/) * [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) (2025) * [PCI DSS](https://www.pcisecuritystandards.org/) (4.0 and 3.2) * [STIG ASD](https://www.cyber.mil/stigs/) (6 and 5) If you have access to [SonarQube Advanced Security](https://github.com/SonarSource/sonarqube-documentation/blob/main/content-output/cloud/default/advanced-security/introduction/README.md), risks from your third-party dependencies will also be included in relevant security reports. If you have access to [SonarQube Advanced Security](https://github.com/SonarSource/sonarqube-documentation/blob/main/content-output/cloud/default/advanced-security/introduction/README.md), risks from your third-party dependencies will also be included in revelant security reports. ## Viewing the security reports of a project branch

A number of details are available on the Security reports overview page.

1. Retrieve your project. See [Retrieving projects](/sonarqube-cloud/managing-your-projects/retrieving-projects.md) for more details. 2. Go to **Security reports.** 3. Select the **main** branch or other long-lived branch. 4. Select the security standards you want to review. The grid displays the number of raised issues and hotspots by security category. 5. View **Project overall Security rating** and **Project overall Security Review rating** in the **Security reports overview** section. 6. Select the number displayed in the **Security** or **Security Hotspots** columns to review the issues. 7. Select **Download Security report (PDF)** for a PDF version of the report. ## Checking the security rules included in a project’s quality profile

1. Retrieve your project. See [Retrieving projects](/sonarqube-cloud/managing-your-projects/retrieving-projects.md) for more details. 2. Go to **Project information**. 3. Under **Quality profiles used**, select a quality profile to open it. 4. Once on the **Quality Profiles** page, select the active **Security** rules from the **Software qualities** table’s **Active** column. The **Rules** page will open. 5. In the left-side panel of the **Rules** page, scroll to the **Security Category** and filter the results by specific standards to view the security categories covered by code review and analysis.

## Downloading a project security PDF report for a branch As a member of a security or compliance team, you can generate and download project security reports in a PDF format for any given branch. 1. Retrieve your project. See [Retrieving projects](/sonarqube-cloud/managing-your-projects/retrieving-projects.md) for more details. 2. Go to **Security Reports** and select the **main** branch or another long-lived branch. 3. In the top right corner of the page click **Download Security report (PDF)**. ### Download options The following download options are available: * **Default**: Includes Sonar, OWASP top 10 2021 and CWE TOP 25 2024 security standards. * **Custom**: Choose from a list of all security standards used by SonarQube. ### Contents of the PDF Report A Security Overview page that includes: * Project and branch information * The number of open **Security** issues, **Security Hotspots**, and **Accepted Security issues** on new code and overall code. * Overall code security ratings for **Security** issues and **Security Hotspots**, including the percentage of reviewed **Security Hotspots** A report for a given standard that includes: * A list of categories for **Security** issues and **Security Hotspots** * Number of issues to address and their relevant rating per category * Breakdown by severity (Blocker, High, Medium, Low, Info) * Hotspots that need review ## Related pages * [Viewing project PDF reports](/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/project-pdf-reports.md) * [Viewing portfolio security reports](/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/portfolio-security-reports.md) * [Viewing project regulatory reports](/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/viewing-project-regulatory-reports.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/project-security-reports.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.