Attestation reports

Attestation reports provide evidence of vulnerability remediation based on the most current application information. Meet compliance and auditing requirements with these PDF reports.


This report expires seven days after you create it. Contrast then deletes the report after this time.

Attestation reports include:

  • An itemized list of the specific filter settings used to run the report

  • A summary of the security posture for the application

  • Vulnerabilities assessment for both custom code and open-source libraries. Note that critical severities will not be displayed in this section if CVSS 3.1 has not been turned on for existing organizations. To enable this, contact Contrast Support.

  • Route coverage as a security assessment metric

  • An optional compliance policy assessment and detailed information about open vulnerabilities for the application

  • An appendix that describes methodologies and terminologies

To run an attestation report:

  1. Select Applications in the header.

  2. Select an application in the Applications grid.

  3. Click the Reports icon icon-reports.svglocated at the top-right of the application's page.

  4. Select Generate Attestation Report from the list.

  5. In the window that appears, define the VulnerabilitiesEnvironments, and additional Security Standards that you want to include in the report.

    The default is to show all vulnerabilities and environments, but you can filter them by clicking the fields. Choose an option from Security Standards to include an additional Security Standards section in the generated report. Optionally, you can choose to include detailed information about open vulnerabilities.

    The following table outlines the categories that you can use to create a custom report.



    Filter options



    • Status (Reported, Suspicious, Confirmed, Not a Problem, Remediated, Fixed, Remediated - Auto-Verified)

    • Severity (Note, Low, Medium, High Critical)

    • Assess Rules

    Vulnerability details


    Include vulnerability details



    • Development

    • Test

    • Production

    Security Standards



    • IPA-7.0

    • OWASP 2013 Top 10

    • OWASP 2017 Top 10

    • OWASP 2021 Top 10

    • OWASP Top 10 API Vulnerabilities 2019

    • PCI DSS - 2.0

    • PCI DSS - 3.0

    • PCI DSS - 3.2.1

  6. Select Generate.

    Once generated a download link appears in the Notifications panel.

    If an application has more than 16,000 vulnerabilities, Contrast does not generate the report. Contrast displays an error message indicating that the application exceeds the 16,000 vulnerability limit.

  7. Click the report link to download the PDF.