Reports
Access and download reports of scan results and findings for your applications.
Use and distribution of these reports is governed by the agreement between Veracode and its customer. In particular, these reports and the results in the report cannot be used publicly in connection with Veracode without written permission.
Access reports
You can access reports in the Veracode Platform, using the APIs, and within Veracode integrations.
Using the Veracode Platform
In the Veracode Platform, go to the Results page for a scanned application. You can view the Veracode and PCI Compliance reports to gain insights into your application security program activity and a better understanding of the business risk of vulnerabilities in your application.
To download reports of data from Veracode Analytics, select Analysis > Data Exports. Then, generate and download a report.
Using the APIs
Access reports using the REST or XML APIs.
REST APIs
XML APIs
Using the integrations
After running a scan using a Veracode integration that accesses the Veracode Platform, such as integrations that support Veracode Upload and Scan or Veracode DAST, you can access the results in the Veracode Platform interface and download reports.
For scan types that don't access the Veracode Platform, such as integrations that use Pipeline Scan for Static Analysis scans, you typically access the scan results and reports within the integration interface, such as a website or application, or using the Veracode APIs.
Download reports
Download the following reports in the Veracode Platform.
Customizable Report
This report summarizes the security flaws identified during this scan, how the application fared against the associated policy controls, and outlines the Veracode recommendations. The Veracode Report contains the same information as the Detailed Report that you can download from the Results page.
You can customize the PDF document of the application security findings in your latest policy scan to include only the contents that you need.
This report is the only Veracode report that includes Veracode Software Composition Analysis (SCA) data.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Find an application with scan results and select Results. The Results page opens.
- Select Download > Customizable Report.
- Under Report Selections, select which sections you want to include in the report. All sections are selected by default. If you clear a checkbox for a section with subsections, it also clears the checkboxes for the subsections.
- Select Download. Your customized report is downloaded to your browser.
The Customizable Report summarizes the security findings identified during the most recent policy scan, the application policy status, and recommendations to fix the findings.
You can download the Customizable Report from the Results page. It contains these sections:
The report includes the following sections.
Executive Summary
The Executive Summary section is a high-level description of your findings and policy status. It provides scan details such as the number of findings, the policy rules, the most frequently found CWEs, and the Security Quality Score. If you include Veracode Software Composition Analysis findings, it also provides a summary of SCA findings and third-party component license risk.
Action Items
The Action Items section of the Veracode scan results report provides guidance on the steps required to bring the application to a state where it passes its assigned security policy. These steps may include fixing or mitigating flaws or performing additional scans. The section also includes best practice recommendations to improve the security quality of the application.
Policy Control
The Policy Control section lists the names and descriptions of the assigned security policy and details how the application complies with the following policy rules:
- Veracode Level rule and any custom rules, including blocklist rules
- Scan requirements
- Remediation levels
Policy Evaluation
The Policy Evaluation is a summary of your policy compliance. It provides the description and status of your policy, as well as the rules, scan requirements, and Security Quality Score for the latest scan.
Static Scan Details
The Static Scan Details section describes the scope of the scan, listing the application modules included in and excluded from the scan.
Changes from Last Scan
The Changes from Last Scan section describes changes in scope from the prior scan, listing all modules that changed since the previous scan.
Findings and Recommendations
The Findings and Recommendations section provides a list of findings by severity, in addition to descriptions and remediation advice for the findings. Each finding is associated with the corresponding CWE ID. You can use the CWE ID to assign relevant Security Labs courses that explain how to resolve these findings. You can also view a list of Software Composition Analysis (SCA) findings by component with license risk details.
Approved, Proposed, and Rejected Mitigations
The Approved Mitigations, Proposed Mitigations, and Rejected Mitigations sections provide the mitigation history for findings in a specific mitigation status. It also provides the exploitability and location of each mitigated finding. For Veracode SCA, the report lists mitigations for vulnerabilities and licenses separately.
Detailed Veracode Report
You can generate a report of your application security findings to share vulnerability statistics of applications and websites with your stakeholders.
Before you begin:
You have the Executive, Reviewer, or Security Lead role.
The Detailed Veracode Report provides insights into your application security program activity and a better understanding of the business risk of vulnerabilities in your application. The Detailed Veracode Report contains the same information available in the Customizable Report, but without the ability to choose which sections to include in the report.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Find an application with scan results and select Results. The Results page opens.
- Select Download.
- Select Detailed Veracode Report (PDF) and select Download. The report downloads to your computer for you to review and share with your stakeholders.
Summary Veracode Report
You can download a Summary Report to share summary information about the security quality of your application without sharing the details of the discovered findings.
The Summary Report includes the application rating and security quality score. It also provides a summary of the number and types of findings that Veracode discovered during scanning. You can share this information with anyone without exposing the details of potentially exploitable findings.
The Summary Report provides a general summary of the overall security of the application while the Detailed Report provides a detailed list of findings, their location, and remediation guidance.
You can also get a Summary Report with the Summary Report REST API.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Find an application with scan results and select Results. The Results page opens.
- Select Download > Summary Report.
- To download the report, select Download .
Veracode PCI Report
This report provides guidance on how to fix the discovered flaws to achieve Payment Card Industry (PCI) compliance and how the application fared against the PCI policy.
Some applications may be subject to Payment Card Industry (PCI) criteria such as PCI-DSS and PA-DSS. Veracode provides the ability to evaluate any application against the PCI standards via the PCI report.
Veracode provides guidance for fixing security flaws to achieve compliance with PCI DSS version 4.0, sections 6.2, 6.4.1, and 11.4.1, and compliance with PCI SSF. Veracode implements the guidance provided in these sections in the PCI 4.0 standard, which recommends evaluating applications against the OWASP Top 10, CWE Top 25, CERT Secure Coding, and other standards, and which expressly requires that an application be free of High or Very High-severity flaws. You can view the details of how an application is evaluated against these standards in the Policy section of the PCI Report.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Select View in the Results column of the Applications list to open the results page for your application. The Results page opens.
- Select PCI Compliance Report at the top of the page. The Veracode Platform opens the PCI Report view.
- To download a PDF copy of the report, select the download icon at the top-right of the page.
- Select Veracode PCI 4.0 Report (PDF) from the Download Report window and, if necessary, select the scan type to include in the report.
- Select Download.
Detailed XML Report
Veracode exports, in XML format, detailed information about an application, including some application profile data, information about scans performed, Software Composition Analysis (SCA) data if available, and a list of open and fixed flaws. You can download this information from the Results page. The format for the download is the same as that provided by the Results API.
The XML export contains some data that is provided for automated consumption of flaw results, including remediation status and date first found.
The Detailed Results XML file for an application that contains more than one scan can contain information about both new and fixed flaws. The report states the line where each flaw is located, the number of lines of code (LOC) in a module, and also maps the flaws to the CWE, OWASP, and CERT industry standard lists of vulnerabilities.
Flaws that have been fixed can be filtered out by using the XML attribute remediation_status:
<flaw ... remediation_status="fixed" ... >
Flaws might not show as fixed if there were large changes in the upload or if another scan, which might have run in a development sandbox, already detected a flaw as fixed. If a flaw no longer appears in the scan results, you can consider it closed.
The date_first_occurrence attribute of the flaw contains the date on which the first report referencing this flaw was published. You can use this date to compute statistics about flaw aging.
The cia_impact attribute contains information about the Veracode assessment of the confidentiality, integrity, and availability impact of the flaw if it is exploited. Veracode uses this information, part of the CVSS standard, to compute the severity for the flaw. The value is presented as three letters, where the first letter is the confidentiality, second is integrity, and third is availability. Possible values for each letter are c for Complete, p for Partial, or n for None.
The policy_compliance_status attribute contains information about the Veracode policy evaluation for sandbox scan results. Each finding for a sandbox scan includes the policy impact under the BLANK attribute, which allows you to inspect the sandbox findings that impact policy. A sandbox scan does not take into account the activity-based policy rules, such as scan types and scan frequency. Sandbox scans do not count towards the rule of scan frequency. In a sandbox, only the findings are assessed for policy implications.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Find an application with scan results and select Results.
- Select Download > Detailed XML Report.
- Select Download. The report is downloaded to your browser. Veracode provides the report as a ZIP file that contains the XML document and the associated XSD XML schema for using the XML information in another application.
Assessment Summary Report
For Static Analysis scans, the Assessment Summary Report shows how many modules were included, how many call sites were in the modules, and how many of those call sites are vulnerable.
The summary lists the statistics on the number of call sites scanned for each flaw category. You can use this information to gain confidence in the completeness of the results in high-quality applications where the majority of high and very-high flaws are already remediated. A call site is the area in the code that Veracode scans for dangerous flaws to determine which call sites are vulnerable to various flaw categories. There may be more call sites for each subcategory than there are unique call sites because Veracode analyzes each call site for CWEs in each subcategory.
To complete this task:
- In the Veracode Platform, select My Portfolio > Applications.
- Find an application with scan results and select Results. The Results page opens.
- In the left navigation menu, select View Report.
- On the Executive Summary tab, scroll down and select Assessment Summary. The assessment summary opens in a new window.
The statistics are divided by CWE category, indicating what type of vulnerabilities you have.
Analytics reports
Use the data exports to generate and download reports of specific data from Veracode Analytics. The reports provide insight into the posture of your application security program.
The reports on the Data Exports page run asynchronously. When you generate a new report, the Veracode Platform creates it server-side and saves it until you download it. Veracode refreshes account data twice daily, at 6 AM and 6 PM ET. For the most accurate data, wait until after the refresh to generate and download a report.
The data export process might take several minutes to complete. You can download a previously generated version of the report at any time by selecting download 
, but it might not contain the most recent information until you generate a new version.
Before you begin:
You must have the Security Lead or Administrator role to access data exports.
To complete this task:
- In the Veracode Platform, select Analytics > Reports > Data Exports.
- To generate a new export, select Generate Data Export
. The Last Generated column updates when the new export is ready. - To download the data export, select Download Data Export. The report downloads in CSV format to your browser.
License consumption reports
The Veracode Platform provides four reports that provide consumption data associated with your Veracode licenses: the License Used Report, Largest Scan Report, the All Scans Report, and the License Used Tier Model report. These reports track scan activity that uses your licenses for Veracode Static Analysis and Dynamic Analysis.
Before you begin:
- You must have the Security Lead or Administrator role.
- Your organization must use a licensing model that the reports support.
To complete this task:
- In the Veracode Platform, select Analytics > Data Exports.
- Locate the report you want to generate.
- To generate the report, select generate
. - When the report is available, Select download
to download it.
If you do not see the automated consumption data in these reports, you may have a legacy contract term inhibiting automation. In this case, contact your Veracode account manager for assistance with managing usage reporting.
The license consumption reports in the Veracode Platform provide consumption data associated with your Veracode licenses. Each report provides different details about the Static Analysis and Dynamic Analysis scan activity that uses your license.
License Used Report
The License Used Report provides visibility into your overall usage during a specific subscription year. It includes these details:
| Field | Description |
|---|---|
| Account Name | Name of your account. |
| Contract | Internal Veracode contract ID. |
| Start Date | Start date of your contract. If you have a multi-year contract, there is a row for each year of your subscription. |
| End Date | End date of the subscription year. |
| Is Active | Indicates if the contract is active. All subscription years of an active multi-year contract are considered active. |
| Licenses Purchased | Number of licenses purchased in the associated contract. |
| MB Purchased | Number of megabytes purchased in the associated contract. |
| Licenses Used | Number of licenses used during the subscription year. |
| MB Used | Number of megabytes used during the subscription year. |
Largest Scan Report
The Largest Scan Report represents the largest analysis size for each application scanned during the contract term and shows which applications consumed licenses during a specific contract year. It includes these details:
| Field | Description |
|---|---|
| Licensed Account | Veracode Platform account that performed the scan. |
| Application ID | Unique ID for your application. |
| Application Name | The name of your application. |
| License Type | Indicates if the license type is SDLC or third party. |
| Scanning Account | Same as the licensed account unless it has a vendor scanning under the enterprise account. |
| 3rd Party State | Indicates if the scan was deleted or is active. Only populated if a third-party vendor performs the scan. |
| Build ID | Unique ID for a scan. |
| Scan Name | The name of your scan. |
| Sandbox Type | Indicates if a scan is a sandbox or policy scan. |
| Scan State | Indicates if the scan is active or was deleted. |
| Scan Type | Indicates if the scan is a Veracode Static Analysis or Dynamic Analysis scan. |
| Largest Scan Publish Date | The date that the largest scan occurred for the application during the subscription year. |
| Published to Vendor Date | The date the scan results were published to a third-party vendor. This field is only populated if a third-party vendor performs the scan. |
| Published to Enterprise Date | The date the scan results were published to the enterprise account. This field is only populated if a third-party vendor performs the scan. |
| Language | The predominant language in the application. |
| Total Analysis Size | Size of the application analyzed in that scan. |
| Licenses Used | Largest scan of each application during that subscription year divided by the application size definition. |
| MB Used | Sum of the total analysis size, rounded to the nearest whole number. |
| Applied SKU per Scan | The contracted SKU to which the scan applies. |
| Contract | Internal Veracode contract ID. |
| Subscription Start Date | Start date of your contract. If you have a multi-year contract, consumption metrics start at 0 at the beginning of each subscription year. |
| Times App Scanned Within Year | Number of times Veracode scanned the application during the subscription year. |
All Scans Report
The All Scans Report shows all scans associated with your account, including sandbox scans and deleted scans, for a specific contract year. The report includes these details:
| Field | Description |
|---|---|
| Licensed Account | Veracode Platform account that performed the scan. |
| Application ID | Unique ID for your application. |
| Application Name | The name of your application. |
| License Type | Indicates if the license type is SDLC or third party. |
| Scanning Account | Same as the licensed account unless it has a vendor using the enterprise account to perform scans. |
| 3rd Party State | Indicates if the scan is active or was deleted. This field is only populated if a third-party vendor performs the scan. |
| Build ID | Unique ID for a scan. |
| Scan Name | The name of your scan. |
| Sandbox Type | Indicates if a scan is a sandbox or policy scan. |
| Scan State | Indicates if the scan is active or was deleted. |
| Scan Type | Indicates if the scan is a Veracode Static Analysis or Dynamic Analysis scan. |
| First Publish Date | The date that the largest scan occurred for the application during the subscription year. |
| Published to Vendor Date | The date the scan results were published to a third-party vendor. This field is only populated if a third-party vendor performs the scan. |
| Published to Enterprise Date | The date the scan results were published to the enterprise account. This field is only populated if a third-party vendor performs the scan. |
| Language | The predominant language in the application. |
| Total Analysis Size | Size of the application analyzed in that scan. |
| Potential Licenses Used | Largest scan of each application during that subscription year, divided by the application size definition. |
| Potential MB Used | Sum of the total analysis size, rounded to the nearest whole number. |
| Applied SKU per Scan | The contracted SKU to which the scan applies. |
| Contract | Internal Veracode contract ID. |
| Subscription Start Date | Start date of your contract. If you have a multi-year contract, consumption metrics start at 0 at the beginning of each subscription year. |
| Times App Scanned Within Year | Number of times the application was scanned during the subscription year. |
License Used Tier Model Report
The License Used Tier Model report identifies how many licenses you have used from the number you purchased. This license report type is available only if you use the tier licensing model. The report includes these details:
| Field | Description |
|---|---|
| account name | Account name of the organization that purchased licenses from Veracode. |
| contract | ID of the contract in use. |
| contract year | For multi-year contracts, the ID for the year of the contract. One contract might have different subscriptions allocated to different years of the contract. |
| subscription (sku) | Product subscription code purchased in the contract. |
| start date (of contract year) | Start date for the contract year. |
| end date (of contract year) | End date for the contract year. |
| quantity licenses purchased | Number of products purchased. For Standard and Small, this value reflects the number of application profiles. |
| quantity licenses used | Number of products used. For Standard and Small, this value reflects the number of application profiles. |
| most recent scan date during contract year | Date of most recent scan for each application profile counted. |
Greenlight Daily Scan Usage reports
In the Veracode Platform, you can access two reports for reviewing summaries of Greenlight scan usage. You must have the necessary role to access these reports.
Go to Reports > Export Data. Select to initiate the report and then select when it is available, indicating that the report has finished generating.
Daily Scan Usage Summary Report
This summary logs a row for the scan activity of each user that scanned with Veracode Greenlight on each day. If the user did not scan on a particular day, there is no entry in the report. The fields reported are:
- Email Address: email of the user who performed the scan.
- Created Day: date the scan occurred.
- Successful Active Scans: number of successful scans the users initiated from their IDE.
- Successful Auto-Scans: number of successful scans automatically initiated when the IDE saved the file.
- Successful API Scans: number of scans initiated by the Veracode Greenlight API in the build/CI workflow.
- Total Unsuccessful Scans: number of unsuccessful active, auto-scan, or API scans.
- Total Successful Scans: number of successful and unsuccessful, active, auto-scan, or API scans.
Technology Usage Summary Report
This summary logs the information about the IDE and plugin used during the Greenlight scan. The fields in the report are:
-
Email Address: email address of the user who performed the scan.
-
IDE: IDE used, either Eclipse, IntelliJ or Visual Studio.
-
IDE Version: version of the IDE use when the scan was submitted.
-
Plugin Version: Veracode Greenlight plugin version when the scan was submitted.
-
Language: language of the code scanned:
- net: C#, VB.NET, ASP.NET
- js: JavaScript
- java: Java
-
Scan Count: total number of scans submitted plus the information for the IDE, IDE version, plugin version, and language.
If you perform Veracode Greenlight scans using the API, the IDE, IDE version, and plugin version columns are blank in the Veracode Greenlight Technology Usage Summary report.
SCA Agent-based Scan Security Report
You can download a PDF report of your SCA Agent-based Scan workspace findings that provides vulnerability statistics for your application.
Projects that do not have a default branch set in their project settings do not appear in the PDF report.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Software Composition Analysis.
- Select Agent-Based Scan.
- From the Workspace List page, find the workspace for which you want to download a report.
- In the Actions column, select download
. The Agent-Based Scan SCA Security Report downloads to your browser as a PDF. - To navigate directly to different sections of the report, select the titles on the cover page.
- Executive Summary: a high-level summary of your findings by severity and license risk
- Project Summary: information on your scan activity and number of findings by project
- Issues by Project: details on the vulnerabilities in the project
- Veracode Agent-Based Scan Methodology: information on how Veracode conducts security research and determines vulnerability scoring
Application Activity Report
You can download a report and an activity log from the Veracode Platform that provides detailed activity for an application.
The activity report provides the full history of scan events and policy events for the application. The activity log in the displays events from only the past 90 days.
To complete this task:
- In the Veracode Platform, select Scans & Analysis and select a scan type.
- Select an application.
- If you want to limit the report to scan activity, select Scans from the left navigation menu.
- To display the activity, in the Activity Log section, select the expand arrow.
- Select Generate CSV.
- After the CSV generates, select Download CSV. The scan activity report downloads to your computer.
Sandbox Activity Report
You can download a report from the Veracode Platform that provides detailed activity for a sandbox.
The Veracode Platform provides an activity report, which you can download, and an activity log, which appears in the Veracode Platform user interface. The activity report provides the full history of activity for the sandbox. The activity log displays events from only the past 90 days.
To complete this task:
- In the Veracode Platform, select Scans & Analysis > Static Analysis.
- Select an application.
- Select a sandbox.
- To display the activity, in the Activity Log section, select the arrow
. - Select Generate CSV.
- After the CSV generates, select Download CSV. The scan activity report downloads to your computer.
Share reports with vendors
Vendors who want to share scan results can generate reports for enterprise organizations. To enable the sharing of Veracode reports, contact Veracode Technical Support.
As a vendor, as soon as scan results are available, you can send a copy of the results to an organization of your choice.
- In the Veracode Platform, from the left navigation menu of the application page, select Results.
- To share the results of the latest scans of each scan type, select Share in the top right to open the Share this Report window. If this icon is disabled, contact Veracode Technical Support to establish the relationship between you and the enterprise organization.
- Select the enterprise organization with whom you want to share the report. This dropdown list is based on vendor relationships you have with other organizations. To add more organizations to this list, contact Veracode Technical Support.
- Select the policy against which you want to calculate the results of the report. The policy details appear, showing you the description, rules, and scan requirement of the policy.
- Select Save and Continue.
The generated report is listed in the Shared Reports page, which you access from the left navigation menu. At a glance you can see which reports you generated and when. The color of the shield icon in the Generated For column indicates whether the policy compliance is a pass (green), conditional pass (orange), or fail (red).
When you are ready to send the generated report to the selected organization, select Share Now. You receive a prompt to confirm that you are ready to share.
You are only sharing the Summary Report, as well as the SCA Report, if you have subscribed to the Software Composition Analysis (SCA) feature that Veracode offers for examining the components that comprise a software application. The Detailed Report is specifically for your information only.
To access shared reports for any application, select the application name on the Applications page or the report name on the Shared Reports page. Only the vendor who owns the application and the security lead, executive, and reviewer members of the enterprise team can access a vendor's shared reports.
To unshare a report you have already shared with an organization, select Undo to revoke the shared action. When prompted to confirm your choice, select Yes.
The report is no longer available to view or download by the enterprise recipient.