Attestation reports

Attestation reports provide evidence of vulnerability remediation based on the most current application information. Meet compliance and auditing requirements with these PDF reports.

This report expires seven days after you create it. After this time, Contrast deletes the report.

Attestation reports include:

  • An itemized list of the specific filter settings used to run the report.

  • A summary of the security posture for the application.

  • Vulnerabilities assessment for both custom code and open-source libraries.

  • Route coverage, as a security assessment metric.

  • An optional compliance policy assessment, and detailed information about open vulnerabilities for the application.

  • An appendix that describes methodologies and terminologies

To run an attestation report:

  1. Select Applications in the header.

  2. In the Applications grid, select an application.

  3. Click the Reports icon located at the top of the application's page.

  4. In the dropdown, select Generate Attestation Report.

  5. In the window that appears, define the VulnerabilitiesEnvironments, and additional Security Standards that you want to include in the report.

    The default is to show all vulnerabilities and environments, but you can filter them by clicking in the fields. Choose an option from Security Standards to include an additional Security Standards section in the generated report. Optionally, you can choose to include detailed information about open vulnerabilities.

    The following table outlines the categories that you can use to create a custom report.





    • Status (Reported, Suspicious, Confirmed, Not a Problem, Remediated, Fixed, Remediated - Auto-Verified)

    • Severity (Note, Low, Medium, High Critical)

    • Assess Rules

    Vulnerability details


    Include vulnerability details



    • Development

    • Test

    • Production

    Security Standards



    • IPA-7.0

    • OWASP 2017 Top 10

    • OWASP 2013 Top 10

    • PCI DSS - 2.0

    • PCI DSS - 3.0

    • PCI DSS - 3.2.1

  6. Select Generate. Once generated, a download link appears in the Notifications panel.

    If an application has more than 16,000 vulnerabilities, Contrast does not generate the report. Contrast displays an error message indicating that application exceeds the 16,000 vulnerability limit.

  7. Click the report link to download the PDF.