# Viewing project security reports This feature is only available in the [Enterprise plan](https://www.sonarsource.com/plans-and-pricing/#sonarqube-cloud-features). {% hint style="info" %} Before you can view the Enterprise-level reports, your organization must be added to an enterprise. For more information, see [managing-enterprise](https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/managing-enterprise "mention"). {% endhint %} Security reports help you understand where you may have issues related to the following security standards: * [OWASP Top 10](https://owasp.org/Top10/) (2025, 2021, 2017)

OWASP Top 10 security standards covered by Sonar for version 2025

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin	Go
A01:Broken Access Control
A02: Security Misconfiguration
A03: Software Supply Chain Failures
A04: Cryptographic Failures
A05: Injection
A06: Insecure design
A07: Authentication Failures
A08: Software and Data Integrity Failures
A09: Logging and Alerting Failures
A10: Mishandling of Exceptional Conditions

* [OWASP Mobile Top 10 2024](https://owasp.org/www-project-mobile-top-10/)

OWASP Mobile Top 10 security standards covered by Sonar for version 2024

Standard	Java	Kotlin	Dart	Swift
M1: Improper Credential Usage
M2: Inadequate Supply Chain Security
M3: Insecure Authentication/Authorization
M4: Insufficient Input/Output Validation
M5: Insecure Communication
M6: Inadequate Privacy Controls
M7: Insufficient Binary Protections
M8: Security Misconfiguration
M9: Insecure Data Storage
M10: Insufficient Cryptography

* [CWE Top 25](https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html) (2024, 2023, 2022, and 2021)

CWE Top 25 security standards covered by Sonar for version 2024

Category	Python	JS/TS	Java	C#	C/C++	PHP	Kotlin
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-787 Out-of-bounds Write
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-125 Out-of-bounds Read
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-416 Use After Free
CWE-862 Missing Authorization
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-94 Improper Control of Generation of Code (‘Code Injection’)
CWE-20 Improper Input Validation
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
CWE-287 Improper Authentication
CWE-269 Improper Privilege Management
CWE-502 Deserialization of Untrusted Data
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-863 Incorrect Authorization
CWE-918 Server-Side Request Forgery (SSRF)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-476 NULL Pointer Dereference
CWE-798 Use of Hard-coded Credentials
CWE-190 Integer Overflow or Wraparound
CWE-400 Uncontrolled Resource Consumption
CWE-306 Missing Authentication for Critical Function

* [CASA](https://appdefensealliance.dev/casa) * [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) (5.0 and 4.0, levels 1, 2, 3) * [OWASP MASVS](https://mas.owasp.org/MASVS/) * [OWASP Top 10 for LLM Applications](https://owasp.org/www-project-top-10-for-large-language-model-applications/) (2025) * [PCI DSS](https://www.pcisecuritystandards.org/) (4.0 and 3.2) * [STIG ASD](https://www.cyber.mil/stigs/) (6 and 5) If you have access to [SonarQube Advanced Security](https://github.com/SonarSource/sonarqube-documentation/blob/main/content-output/cloud/default/advanced-security/introduction/README.md), risks from your third-party dependencies will also be included in relevant security reports. If you have access to [SonarQube Advanced Security](https://github.com/SonarSource/sonarqube-documentation/blob/main/content-output/cloud/default/advanced-security/introduction/README.md), risks from your third-party dependencies will also be included in revelant security reports. ## Viewing the security reports of a project branch

A number of details are available on the Security reports overview page.

1. Retrieve your project. See [retrieving-projects](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/retrieving-projects "mention") for more details. 2. Go to **Security reports.** 3. Select the **main** branch or other long-lived branch. 4. Select the security standards you want to review. The grid displays the number of raised issues and hotspots by security category. 5. View **Project overall Security rating** and **Project overall Security Review rating** in the **Security reports overview** section. 6. Select the number displayed in the **Security** or **Security Hotspots** columns to review the issues. 7. Select **Download Security report (PDF)** for a PDF version of the report. ## Checking the security rules included in a project’s quality profile

1. Retrieve your project. See [retrieving-projects](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/retrieving-projects "mention") for more details. 2. Go to **Project information**. 3. Under **Quality profiles used**, select a quality profile to open it. 4. Once on the **Quality Profiles** page, select the active **Security** rules from the **Software qualities** table’s **Active** column. The **Rules** page will open. 5. In the left-side panel of the **Rules** page, scroll to the **Security Category** and filter the results by specific standards to view the security categories covered by code review and analysis.

## Downloading a project security PDF report for a branch As a member of a security or compliance team, you can generate and download project security reports in a PDF format for any given branch. 1. Retrieve your project. See [retrieving-projects](https://docs.sonarsource.com/sonarqube-cloud/managing-your-projects/retrieving-projects "mention") for more details. 2. Go to **Security Reports** and select the **main** branch or another long-lived branch. 3. In the top right corner of the page click **Download Security report (PDF)**. ### Download options The following download options are available: * **Default**: Includes Sonar, OWASP top 10 2021 and CWE TOP 25 2024 security standards. * **Custom**: Choose from a list of all security standards used by SonarQube. ### Contents of the PDF Report A Security Overview page that includes: * Project and branch information * The number of open **Security** issues, **Security Hotspots**, and **Accepted Security issues** on new code and overall code. * Overall code security ratings for **Security** issues and **Security Hotspots**, including the percentage of reviewed **Security Hotspots** A report for a given standard that includes: * A list of categories for **Security** issues and **Security Hotspots** * Number of issues to address and their relevant rating per category * Breakdown by severity (Blocker, High, Medium, Low, Info) * Hotspots that need review ## Related pages * [project-pdf-reports](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/project-pdf-reports "mention") * [portfolio-security-reports](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/portfolio-security-reports "mention") * [viewing-project-regulatory-reports](https://docs.sonarsource.com/sonarqube-cloud/getting-started-with-enterprise/viewing-enterprise-reports/viewing-project-regulatory-reports "mention")