Compliance Reports

Generate timestamped PDF reports of security issues that Contrast has identified while monitoring your application. Each report includes a summary of the application's security status as well as details on each vulnerability and remediation guidance.

Generate a Report

To create a report, go to the Applications page and select an application. Click the Generate Security Standards Report icon located at the top of the application's Overview page.

In the dialog that appears, choose the Report Type, Vulnerability Status/Severity and Vulnerability Tag that you want to include in the report, and click Generate. Once generated, the report will download automatically.

Report Content

The report is comprised of information on each vulnerability that's been discovered in your application, including technical details, risk of an issue, remediation guidance and industry references. You can also find a breakdown of the application's known vulnerable libraries, architecture and security scorecard.

DISA STIG Compliance Reports

DISA's Security Technical Implementation Guide (STIG) is the basis for evaluation of the security of all government applications. The STIG is intended to be used throughout the life cycles of these applications in order to provide security assurance for these applications. Contrast’s compliance reporting can provide a listing of the vulnerabilities found in your application that violate guidelines of multiple STIGs.

Before You Get Started

Before DISA STIG reports can be generated, an administrator must Enable DISA STIG Checklist reporting for the organization. With administrator access, navigate to Organizations and click an organization to find this option.

An application must have an Assess license to generate a DISA STIG report.

Generate a STIG Viewer Checklist

STIG Viewer creates custom checklists with multiple STIGs for compliance reporting. You must import your application's checklist to get the DISA STIG report on those vulnerabilities from Contrast.

To generate a STIG Viewer checklist, navigate to an application. In the application’s Overview page, click the reporting icon and select Generate STIG Viewer Checklist.

In the dialog, import a STIG Viewer checklist (.ckl) file. This file must be a checklist exported from the STIG Viewer application. Click Generate to download an updated STIG Viewer checklist (.ckl) file.

Generate a DISA STIG Report

To generate a DISA STIG report type, go to the Applications page and select an application. Click the reporting icon on an application’s Overview page and select Generate Security Standards Report.

In the dialog, select DISA ASD STIG for Report Type. Select the Vulnerability Status/Severity and Vulnerability Tag that you want to include in the report, and click Generate. Once generated, the report will download automatically.

Attestation Reports

Attestation reports provide evidence of vulnerability remediation based on the most current application information. Meet compliance and auditing requirements with each PDF report, which includes details about the application's open and closed vulnerabilities, open source security status, and route coverage information.

Report Content

Attestation reports include the following content:

  • Itemized list of the specific filter settings used to generate the report
  • Summary of the security posture for the application
  • Vulnerabilities assessment for both custom code and open source libraries
  • Route coverage, as a security assessment metric
  • Optionally, a compliance policy assessment, and detailed information about open vulnerabilities for the application
  • Appendix that describes methodologies and terminologies

Generate a Report

Generate an asynchronous PDF report to see the status of an application.

To create a report, go to the Applications grid and select an application. Click the Reports icon located at the top of the application's page. In the dropdown list, select Generate Attestation Report.

In the dialog that appears, define the Vulnerabilities, Environments, and additional Security Standards that you want to include in the report.

Filter options

Each report defaults to all vulnerabilities and environments, but you can filter them by clicking in the fields. Choose an option from Security Standards to include an additional Security Standards section in the generated report. Optionally, you can choose to include detailed information about open vulnerabilities.

The following table outlines the categories that you can use to create a custom report.

Field Default Filter Options
Vulnerabilities All Status (Reported, Suspicious, Confirmed, Not a Problem, Remediated, Fixed, Remediated - Auto-Verified)
Severity (Note, Low, Medium, High Critical)
Assess Rules
Vulnerability details None Include vulnerability details
Environments All Development
Security Standards None DISA ASD STIG
OWASP 2017 Top 10
OWASP 2013 Top 10
PCI DSS - 2.0
PCI DSS - 3.0

Click Generate. Attestation reports generate asynchronously, and once generated, a download link appears in the Notifications panel.

Click the report link to download the PDF.

EOP Installation and Storage Configuration

A system administrator can configure reporting storage options by adding the following properties to the file:

  • Value options are DB and FILE_SYS (recommended)
  • Required when storage mode is set to FILE_SYS

The recommended setting for is FILE_SYS. When DB is configured, files are stored in the database, adding unnecessary contention on the database.

With the FILE_SYS option, you must set up a file-sharing service where all Contrast nodes are able to access the file path. Provide this path as the value for

Note: The path should be an absolute path, such as /Users/user1/reporting.

With the default configuration, 1250 vulnerabilities can be exported from an attestation report. In some cases, a user may want to generate a larger report containing more than 1250 vulnerabilities, or depending on the size of the instance, Contrast may run into heap space issues.

To decrease or increase the limit, set the reporting.generation.limit property in the file, and then restart Contrast.


Placeholder article (NEEDS TO BE WRITTEN)

Vulnerability Trend

Vulnerability management is a vital responsibility of any security team. Use the Vulnerability Trend reports to recognize the vulnerabilities your applications face and how well they're being managed so that you have a better understanding of your security posture.

Access Data

Select Reports in the User menu to go the Vulnerability Trend dashboard. Click the View link to see the graphs in more detail.

Select New to see a graph of new vulnerabilities. Select Total to see a graph of all reported vulnerabilities compared to all remediated vulnerabilities. Each black data point represents the total number of Suspicious, Confirmed and Reported vulnerabilities for that date. Each green data point represents the total number of vulnerabilities marked as Not A Problem, Remediated or Fixed. Hovering over each data point generates a tooltip with status breakdowns.

Filter vulnerabilities

Each report defaults to all applications, servers and rules, but you can filter vulnerabilities by clicking in the fields above the graph. The following table outlines the categories that you can use to create a custom report.

Field Default Filter Options
Date Last 7 Days Last 30 days
Last 12 weeks
Last 12 months
Applications All Importance (Critical, High, Medium, Low, Unimportant)
Application Tags
Licensed (List of all applications)
Servers All Environment (Development, QA, Production)
Server Tags
Servers (List of all servers)
Rules All Severity (Critical, High, Medium, Low, Note)
Vulnerability Tags
Vulnerability Rules (List of all rules)

Save Reports

You can save filter criteria to recall any customized report at a later time. Saved reports are at the User level, so each of you have your own defined list of saved vulnerability trend reports. You can edit or delete these reports at any time.

To save a report view, click the star icon at the top right of the report page. This generates a popup with a field to name the report. Once saved, the named report appears next to the Vulnerability Trend heading with a dropdown menu. Each time you come to the Vulnerability Trend page, the menu shows all of your saved reports as well as an option to Start a new report.

Rename reports

When viewing a saved report, hover over the star icon to generate a Manage Report tooltip. Click the icon to produce a popup with a field to rename the report and buttons to Cancel, Remove or Save.

Edit and remove reports

If you change filter options while viewing a saved report, the star icon changes to an unsaved state and Edited appears next to the report name. Click the icon to generate a popup menu to Save Existing or Save As New. Choose Save Existing to update the saved report name with the current filters and remove the Edited status. Choose Save As New to save the report view with the current filters as a new report under a different name.

Click Remove to permanently delete the saved report that you're currently viewing. Contrast automatically takes you to the default Vulnerability Trend page view and removes the report name from the dropdown menu.

Start new reports

To clear unsaved edits to an existing report and start over with the report defaults, choose the Start a new report option in the dropdown menu. The report name changes to New Report.

Manage reports

When you've created more than five saved reports, a Manage link appears within the Saved Reports dropdown. Click the link to go to the Manage Saved Reports dialog. Select the checkbox next to each report that you want to remove or use the Select All checkbox. To rename a report in the dialog, click the report name and edit it inline. You can also use the search field to find reports.

Export Reports

Create a timestamped PDF report of the Vulnerability Trend to capture a snapshot of your vulnerability management by clicking the Export icon in the upper right hand corner of the page. Contrast immediately generates the report and prompts you to download when it’s ready. Each PDF report includes a summary of the variables included in your customized view, the trend graphic, and a table of the metrics and breakdowns of each data point.

Organization Statistics

Gain robust and comprehensive visibility into your organization data with Organization Statistics.

Go to the Reports page via the User Menu to find widgets with information about licensing utilization and expirations, breakdowns across various data points for onboarded applications, and deployed servers and how they’re being utilized. Use the filters in the dropdown menus to choose which data to compare at a glance.

In the Licenses chart, view the number of overall licenses for Assess and Protect, as well as the number of unlicensed applications and servers that exist in your organization. Click the application count to navigate to the Unlicensed quick view in the Applications page.

In the next chart, get a glimpse of active applications. The inner ring designates the breakdown by language; choose the categories you want to compare in the outer ring by selecting Technology or Grade in the dropdown menu.

Finally, view your deployed servers. Select Container or Environment in the dropdown menu to choose how the numbers are analyzed.

To take a closer look at this information, select the View link under each heading.


The Licenses tab features an activity trend chart of data on license consumption over the past year. Hover over a data point on the Assess or Protect trend lines to see how many licenses were used each month. The thermometer chart below shows the total number of licenses purchased compared to the number being used. The timeline shows how many licenses are about to expire on given dates. For a different view of the data, the circular charts show breakdowns by fraction and percentage for Assess and Protect.

Note: If your organization doesn't own any Protect or Assess licenses, Contrast alerts you to the count of unlicensed assets in that mode.

Protect usage

Take a closer look at your Protect license usage by clicking beneath the Protect trend line in the chart. This switches you to the Protect Usage mode, which shows data for the current month in a trend chart as well as a quick view of Usage Statistics.

Hover over data points in the trend chart to see the number of Protect servers used and the number of available licenses that remained for each day. The y-axis marker (dotted line) shows the number of licenses that you had purchased. Use the dropdown menu above the chart to view data from a previous month within the past year.

Click on the vertical bars in the chart to view your hourly usage of Protect licenses for each day. Peak hourly usage is represented by bright green shading at the top of the bars.

To return to your view of license activity data for Assess and Protect servers, click the link above the graph to go Back to License Activity.


In the Applications tab, the Status thermometer chart shows the total number of applications broken down by the number that are licensed, unlicensed and archived. Click on the total number of onboarded applications to go to the Applications page for more details on each one. Contrast also reminds you of how many licenses are available in your organization.

The circular Language Breakdown chart shows the number of applications by language in the inner band, and by Technology or Grade in the outer band. Click the number of active applications to go directly to the Applications page. High Risk and Expirations snapshots show the number of applications with critical open vulnerabilities and expiring licenses, respectively. The Protection Coverage snapshot shows the number of applications on Production servers that have incomplete Protection coverage. Click the link to see a breakdown of Protection coverage by application.

Applications that were added within the last week and applications that reside on an offline server are listed separately in the sidebar.


Switch to the Servers tab to view a thermometer chart that shows the breakdown of all deployed servers by environment. Click on the total number of servers to go to Servers page for more information on each one.

The circular Container Breakdown chart displays the number of deployed servers for each language in a given environment. Select a different environment in the dropdown menu to update the ring and total number of servers. Click on the server count to go to the Servers page with the relevant environment filter applied. Snapshots show servers being Assessed and Protected as well as all servers online compared to the total number of servers in the given environment. The right sidebar includes a list of newly onboarded, offline and deleted servers.

User Statistics

Placeholder article (NEEDS TO BE WRITTEN)