Reports

Generate reports for issues discovered in an application. Send reports to send to developers, internal auditors, penetration testers, managers, and the CISO. Security information might be extensive, and can be filtered depending on your requirements.

Application and scan reports

From the Application and Scan pages you can generate a variety of reports on the current status of the application.

To generate an application or scan execution report:
  1. For an application, on the Application page, select Manage > Report.
    For a scan:
    • On the Scans and sessions page, selct the ellipsis ()at the far right for the desired scan in the list and select Download report, or
    • On the Scan summary page, select Manage scan > Download report.
    The report dialog box opens.
  2. Select the report Type:
    • Security report: A configurable report on all issues found in the application.
    • Industry standard report: Select a report from the list in the next step.
    • Regulatory compliance report: Select a report from the list in the next step.
    • Open source report (SAST and SCA only): A report listing all the open source libraries (and their licenses) found in your code, with their associated open source risk level.
    • Software Bill of Materials (SBOM) (SCA only): Industry standard list of open source libraries in your applications.
  3. Give your report a name (or leave the default name), and select file type (HTML, PDF, and in some cases also CSV and XML).
  4. Add a note that will be added at the top of the report. Optional.
  5. Click Next to continue.

    See below for additional information about security reports, industry standard and regulatory compliance reports, SBOM reports, and scan export formats.

Security reports

Security reports can be generated for:
  • A whole application
  • A specific scan (if the scan has been run more than once you need to specify which execution is used)
  • A filtered list of issues
  • A fix group
To generate a security report:
  1. Do one of the following:
    • On the Application page, select Manage > Report > Security report.
    • On the Scan page, select Manage scan > Download report > Security report.
    • On the Issues or Fix group page, apply filters to show only the issues you want included in the report, then click Security report
    ASoC opens the report dialog opens. The title of the dialog box depends on where you launched the report.
  2. Give your report a name (or leave the default name), and select the file type (HTML, PDF, and in some cases also CSV and \).
  3. Add a note that will be added at the top of the report. Optional.
  4. Indicate report scope, if requested.
    1. Non-compliant issues: Active issues (issues with statuses: "Open", "In progress", "Reopened", and "New" (deprecated)) that are also non-compliant with one or more policies.
    2. All issues: All the issues in the application, including all statuses, severities, and compliance; and based on the scope in the Settings page. "All issues" will include every issue when the scope in the settings page is 'Based on status'. If the scope is defined as "Based on status and policies" it will include all issues that are non-compliant with one or more policies. Note that the active issues filter is not applicable here, and all issues will be included.
  5. Select the check boxes for the sections you want in the report, and clear those you do not want.
  6. Click Generate report.
    The report is generated and saved to your machine.
    Note: For filtered lists the security report is generated when you click the button. Therefore, unlike the general security report that reflects the data at the time the scan completed, the filtered report reflects the latest status of issues found. For example, an issue changed from New to Fixed is shown as Fixed in this report.
    Note: In the case of very large reports, PDF generation may fail. In such cases an HTML report is generated instead. If this happens and PDF format is needed, use filters to create smaller chunks of issues and generate two or more reports.

Industry standard and regulatory compliance reports

Choose from the following reports for an application:
Industry Standard Regulatory Compliance
CWE Top 25 Most Dangerous Software Weaknesses 2021 CANADA Freedom of Information and Protection of Privacy Act (FIPPA)
International Standard - ISO 27001 EU General Data Protection Regulation (GDPR)
International Standard - ISO 27002 Payment Application Data Security Standard
NIST Special Publication 800-53 PCI Compliance
OWASP API Security Top 10 2019 South Africa Protection of Personal Information Act (PoPIA)
OWASP Top 10 2017 US California Consumer Privacy Act (CCPA) - AB-375
OWASP Top 10 2021 US DISA's Application Security and Development STIG. V5R2
OWASP Top 10 Mobile 2016 US Electronics Funds and Transfer Act (EFTA)
WASC Threat Classification 2.0 US Federal Information Security Modernization Act (FISMA)
US Federal Risk and Authorization Management Program (FedRAMP)
US Health Insurance Portability and Accountability Act (HIPAA)
US Sarbanes-Oxley Act (SOX)

To generate a report for a subsection of the results, such as High and Critical only, or only issues found after a certain date, you can apply a filter to the results before generating the report.

Software Bill of Materials (SBOM) reports

A Software Bill of Materials (SBOM) report is a nested inventory of the components that make up a software artifact. SBOM reports are available for SCA scans only, and a valid SCA license is required.

To generate an SBOM report:
  1. Either:
    • From the Scans and sessions page, select the ellipsis ()at the far right for the desired scan in the list and select Download report, or
    • From the Scan summary page, select Manage scan > Download report.
  2. Select Software Bill of Materials (SBOM) as the report type, and specify a file name and format.
  3. Click Next.
  4. Specify the following required fields that will appear in the final report:
    • Document name: The title of the SBOM report.
    • Organization name: The organization for which the report is being generated.
    • Creator name: The email of the person creating the report.
  5. Click Generate report.

Export scan data as CSV, JSON, or SARIF

You can export data from the Issues list of an application or scan as a CSV, JSON, or SARIF file.
Note:
  • Only administrators have the ability to export.
  • The SARIF option applies only to SAST issues, not including SCA (open source) issues. It is not available with free subscriptions.
To export data:
  1. Filter the issues list as needed, until only the issues you want to export are shown.
  2. Using the Columns drop-down on the right above the table, select the columns to include.
  3. At the top of the table, click Export.

    The Export data dialog opens.

  4. Type in the name for the file, select CSV, JSON, or SARIF.
  5. Click Export.

    The data is exported to file.