Viewing security reports

Security reports are available starting in Enterprise Edition.

What do security reports show?

Security reports quickly give you the big picture of your application's security. They allow you to know where you stand compared to the most common security mistakes made in the past:

• PCI DSS (versions 4.0 and 3.2.1)
• OWASP Top 10 (versions 2021 and 2017)
• CWE Top 25 (versions 2023, 2022, and 2021)
• CASA
• STIG

They represent the bare minimum compliance for anyone putting in place a secure development lifecycle.

The SANS Top 25 report is based on outdated statistics and should no longer be used. Instead, we recommend using the CWE Top 25 reports.

Depending on the configuration of your SonarQube Server instance, security reports are generated with metrics either from Standard Experience or MQR Mode.

Security reports rely on the rules activated in your quality profile to raise security issues. If there are no rules corresponding to a given OWASP category activated in your quality profile, you won't get issues linked to that specific category and the rating displayed will be A. That doesn't mean you are safe for that category, it implies that you need to activate more rules (assuming some exist) in your quality profile.

What are the differences among the security issues?

Security Hotspots and Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) differ in that:

• Security Hotspot is a security-sensitive piece of code that is highlighted but doesn't necessarily impact the overall application security. It's up to the developer to review the code and determine whether or not a fix is needed to secure it.
• Security Vulnerability (in Standard Experience) or Security (in MQR Mode) is a problem that impacts the application's security and needs to be fixed immediately.

For more details, see the Security hotspots page.

Why don't I see any security issues?

You might not see any Security Vulnerabilities (in Standard Experience), Security issues (in MQR Mode), or Security Hotspots for the following reasons:

• Your code has been written without using any security-sensitive API.
• Security Vulnerability (in Standard Experience), Security (in MQR Mode), or Security Hotspot rules are available but not activated in your quality profile, so no security issues are being raised.
• SonarQube Server might not currently have many rules for your programming language, so it won't raise any issues or only a few security issues are being recognized.

Downloading a PDF copy

You can download a PDF copy of your security reports by clicking Download as PDF in the upper-right corner of the Security reports page.

The PDF contains:

• the number of open Security Vulnerabilities (in Standard Experience) or Security issues (in MQR Mode) and the security rating on both overall code and new code.
• the number of Security Hotspots, the percentage of reviewed Security Hotspots, and the security review rating on both overall and new code.
• your SonarSource, OWASP Top 10, and CWE Top 25 2020 reports.

Related pages

• Viewing PDF reports
• Viewing regulatory reports
• Viewing portfolios