Create a report from an assessment.


ounceauto GenerateReport
-assessment <assessment path>
-type <report type>
-output <output format>
-file <output location>
[-caller <caller>]
[-includeSrcBefore <n>]
[-includeSrcAfter <n>]
  • -assessment <assessment path>: Path to the assessment file for which you want to generate the report.
  • -type "<report type>": Name of the report type in double quotation marks. Report types consist of Findings reports, AppScan® Source reports, and custom reports.

    AppScan® Source report types include:

    • A Findings report:
      • Findings
      • Findings by Fix Group
      • Findings by Type
      • Findings by Classification
      • Findings by File
      • Findings by API
      • Findings by Bundle
      • Findings by CWE
      • DTS Activity
    • An AppScan® Source report:
      • 2021 CWE Top 25 Most Dangerous Software Weaknesses
      • DISA Application Security and Development STIG V4R10
      • DISA Application Security and Development STIG V5R1
      • OWASP API Security Top 10 2019
      • OWASP Mobile Top 10
      • OWASP Top 10 2017
      • OWASP Top 10 2021
      • PCI Data Security Standard V3.2
      • Software Security Profile
    • A custom report, if available.

    When entering the report type, in double quotation marks, enter the exactly as specified in the above list - for example Findings by Classification or Software Security Profile.

  • -output <output format> : Specify one of these formats for this report,
    • html: Generates the report as HTML and displays it online.
    • zip: Creates a ZIP file that contains all HTML report components
    • For reports in PDF format, you can specify the level of detail:
      • pdf-summary: Contains counts for each custom report group
      • pdf-detailed: Contains counts for each API for each vulnerability property
      • pdf-comprehensive: Contains tables consisting of every finding for every API
      • pdf-annotated: Contains all findings, any notes included with the findings, and designated code snippets
      • output location: The file path to write the report.
  • -file <output location>: Specify the path and file name to which you want to save the report.
  • -caller <caller>: Optional. Assign a caller to the report generation operation. The caller can be the name of an actual user, but this is not required. The caller name is written to the ounceauto log file.
  • -includeHowToFix: Optional. Include advisory information for how to address and correct findings.
  • -includeSrcBefore <n>: Optional. The number of lines of source code to include before each finding.
  • -includeSrcAfter <n>: Optional. The number of lines of source code to include after each finding.
  • -includeTraceDefinitive: Optional. Include trace information in the report for definitive findings (see Classifications to learn about findings classifications).
  • -includeTraceSuspect: Optional. Include trace information in the report for suspect findings.
  • -includeTraceCoverage: Optional. Include trace information in the report for scan coverage findings.

Return Value

The Request ID if successful, or -1 if the request submission was unsuccessful.


  • Generate a Findings by API report as an HTML file. In the report, include trace information for definitive findings:
    ounceauto generatereport -assessment C:\Ounce\Data\Webgoat.ozasmt
    -type "Findings by API" -output html
    -file C:\reports\Webgoat_Findings.html
  • To generate an OWASP Top 10 2013 AppScan® Source report as a PDF:
    ounceauto generatereport -assessment C:\Ounce\Data\Webgoat.ozasmt
    -type "OWASP Top 10 2013" -output pdf-annotated
    -file C:\Reports\Webgoat_OWASP.pdf