Create a report

Overview

Use the Reporting page to generate detailed, customizable reports that summarize SAST, SCA, and DAST issues captured in tests. Report types range from developer-focused summaries to executive overviews and compliance reports, and offer insights into vulnerabilities, test trends, and the risk posture of applications in your portfolio. Note the following:

  • Reports are auto-deleted after 30 days.
  • Only the user who creates a report can download it. Share reports in PDF/JSON format.
  • It can take up to 60 minutes for data from a test to be available to create a report.
  • Dismissed issues and excluded components (via issue and component triage) are not included in reports. It can take up to 60 minutes triage actions to affect reports.
  • Reporting events are tracked in the audit logs.
  • Issues you import from third-party tools are not included in reports.

Available reports

You can generate the following reports:

Table 1. Available reports
Type of report Description
Developer Detail SCA An overview of the issues in the selected application scope. Provides issue details organized by the component and includes the severity, vulnerability ID, Issue type, CWE, and first detected date of each issue.
Developer Detail Static An overview of the issues in the selected application scope. Provides issue details organized by the issue type and includes severity, location, file name, line number, and first detected date.
Executive Summary Report Provides an overview of your portfolio and modules that detail the overall risk posture. It includes issue summaries at the portfolio and application levels, detected and absent issue charts, issue trend charts, top issue types and top issues with policy violations.
Issue Overview A high level overview of your applications and projects. The report provides the total issue counts at the application level, and provides the new, recurrent, and total issue counts at the project level. This shows the risk posture across the entire portfolio.
Issue Summary Includes a summary of its scope and issue summaries by severity, per application(s), per project(s), and by issue type including top 10 vulnerable applications, and more.
Security Audit Identifies vulnerable areas in the different components of your application that may be exploited by a malicious users, and estimates the application's protection from common attacks. This report also assesses the overall security risk for your application across all threat areas.
Software bill of materials (SBOM) Creates a SPDX or CycloneDX-compatible SBOM report (JSON).
Standard Compliance Provides issue counts for each application as it relates to a selected standard, as well as a view of the total issues found per standard.
Standard Compliance Detail Along with the information in the Standard Compliance Report, this includes the issue counts for each project, It also provides issue details organized by test type and standard for each issue.
Test Summary Report For applications and/or projects (depending on selected scope), shows first and last test, number of tests in a time period, test trends, assessment types scanned and a list of applications and/or projects not tested in time period.

Allow reporting notifications

In order to receive email notifications that your report is ready, check that your personal notification settings are set correctly.

  1. Select your profile name, then select Account.
  2. Go to Notifications.
  3. If necessary, enable Reports.
    Note: If you can't make changes, it means an Org Admin has turned off notifications for the organization. You won't be able to change settings and won't receive notifications until this is resolved.

Save report configurations

If you find you generate the same report on a routine basis, consider saving the report's settings as a report configuration. Doing so allows you to quickly generate the same report without having to configure the report's settings each time.

See Create and manage report configurations for more information.

Create a report

(For all reports except SBOM.) Create customized PDF reports of your test results.

  1. Navigate to Reporting (via the icon in the left-hand navigation).
  2. Select + Create Report.
  3. Select a Report Type from the dropdown menu. (See report types above for more information.)
  4. Select an application or project using the Scope dropdown menu.
    Note: SAST/SCA issue data and test quantities are only retrieved from default branches in SAST & SCA projects (and SAST/SCA issue data and test quantities from non-default branches is ignored).
    The following steps vary according to the type of report selected.
  5. Use the Tools checkboxes to select the types of issues (DAST, SAST, and/or SCA, depending on the report) to include in the report.
    Note: By default, reports that include SCA issues include issues captured in both types of SCA tests (Package Manager and Signature Analysis).
  6. Use the Severity Levels checkboxes to select the severity of issues to include in the report.
    For a Security Audit, Issue Overview or Executive Summary Report, all severity levels are automatically selected.
  7. Select one option under Standard:
    • Required for the Standard Compliance Reports.
    • You can only select one standard per report (if available).
    • If optional and no standard is selected, all issues are retrieved from the other selected criteria (severity level, etc.). Some issues do not belong to any standards.
  8. Select Time Period (for Security Audit and Test Summary Reports only) or Trend Chart Time Period (Executive Summary Report).
  9. Select Run > Run.
    Tip: You can create a report configuration when you run the report. Doing so allows you to quickly regenerate the report later on using the same settings. To do so, select Run > Run and Save Configuration. You can also create a report configuration without running the report (Save > Run).

    See Create and manage report configurations for more information.

    Polaris sends you an email when your report is ready. Return to the Reporting page and select the Download icon to download the report (PDF).

Create a software bill of materials report

Create an JSON-compatible software bill of materials (SBOM) report of a project.
Note: The SBOM report is a JSON file compatible with SPDX v. 2.3 or CycloneDX v. 1.4.

To customize what is included in the report, see Ways to triage components in Polaris. If a component is triaged as Excluded, it will not be in the report.

  1. Navigate to Reporting (via the icon in the left-hand navigation).
  2. Select + Create Report.
  3. Select SBOM using the Report Type dropdown menu.
  4. Select a project using the Scope dropdown menu.
    Note: The SBOM report only captures data from default branches. Data from non-default branches is ignored.
  5. Select SPDX v. 2.3 (JSON) or CycloneDX v. 1.4 (JSON) as Export Format.
  6. Use the Tools checkboxes to include or exclude components detected in different SCA tests.
    Note: By default, the SBOM report includes components detected in both types of SCA tests (Package Manager and Signature Analysis).
  7. Select Run > Run.
    Tip: You can create a report configuration when you run the report. Doing so allows you to quickly regenerate the report later on using the same settings. To do so, select Run > Run and Save Configuration. You can also create a report configuration without running the report (Save > Run).

    See Create and manage report configurations for more information.

    Polaris sends you an email when your report is ready. Return to the Reporting page and select the Download icon to download the report (JSON).