Reports

Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.

Application and scan reports

From the Application and Scan pages you can generate a variety of reports on the current status of the application.

To generate an application report:
  1. For an application: On the Application page, click the Manage button and select Report.

    For a scan: On the Scan page, click the Download Report button at the top of the Issues by severity chart.

    The Application report dialog box opens.

  2. Give your report a name (or leave the default name), and select file type (HTML, PDF, and in some cases also CSV and XML).
  3. Add a note that will be added at the top of the report. Optional.
  4. Select the report Type:
    • Security report: A configurable report on all issues found in the application.
    • Industry standard report: In the next step you will be given a list to select from.
    • Regulatory compliance report: In the next step you will be given a list to select from.
    • Open source report (SAST only)
  5. Click Next to continue.

Security reports

Security reports can be generated for:
  • A whole application
  • A specific scan (if the scan has been run more than once you need to specify which execution is used)
  • A filtered list of issues
To generate a security report:
  1. Do one of the following:
    • For an application or scan, perform the steps described above.
    • For an issues list, apply filters to show only the issues you want included in the report, then click Security report.
    The Security reports dialog opens.
  2. Give your report a name (or leave the default name), and select the file type (HTML, PDF, and in some cases also CSV and \).
  3. Add a note that will be added at the top of the report. Optional.
  4. Select the check boxes for the sections you want in the report, and clear those you do not want.
  5. Click Generate report.
    The report is generated and saved to your machine.
    Note: For filtered lists the security report is generated when you click the button. Therefore, unlike the general security report that reflects the data at the time the scan completed, the filtered report reflects the latest status of issues found. For example, an issue changed from New to Fixed is shown as Fixed in this report.
    Note: In the case of very large reports, PDF generation may fail. In such cases an HTML report is generated instead. If this happens and PDF format is needed, use filters to create smaller chunks of issues and generate two or more reports.

Industry standard and regulatory compliance reports

Choose from the following reports for an application:
Industry Standard Regulatory Compliance
CWE Top 25 Most Dangerous Software Weaknesses 2021 CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
International Standard - ISO 27001 EU General Data Protection Regulation (GDPR)
International Standard - ISO 27002 Payment Application Data Security Standard
NIST Special Publication 800-53 PCI Compliance
OWASP API Security Top 10 2019 South Africa Protection of Personal Information Act (PoPIA)
OWASP Top 10 2017 US California Consumer Privacy Act (CCPA) - AB-375
OWASP Top 10 2021 US DISA's Application Security and Development STIG. V5R2
OWASP Top 10 Mobile 2016 US Electronics Funds and Transfer Act (EFTA)
WASC Threat Classification 2.0 US Federal Information Security Modernization Act (FISMA)
US Federal Risk and Authorization Management Program (FedRAMP)
US Health Insurance Portability and Accountability Act (HIPAA)
US Sarbanes-Oxley Act (SOX)

To generate a report for a subsection of the results, such as High and Critical only, or only issues found after a certain date, you can apply a filter to the results before generating the report.

Export scan data as CSV, JSON, or SARIF

You can export data from the Issues list of an application or scan as a CSV, JSON, or SARIF file.
Note: The SARIF option applies only to SAST issues, not including SCA (open source) issues. It is not available with free subscriptions.
To export data:
  1. Filter the issues list as needed, until only the issues you want to export are shown.
  2. Using the Columns drop-down on the right above the table, select the columns to include.
  3. At the top of the table, click Export.

    The Export data dialog opens.

  4. Type in the name for the file, select CSV, JSON, or SARIF.
  5. Click Export.

    The data is exported to file.