Security Report for SonarCloud™

Provides information about security standards (OWASP Top 10, CWE SANS Top 25, OWASP ASVS) including risk factor and security vulnerabilities and hotspots in PDF report from SonarCloud™


Security Assessment for SonarCloud™

Based on OWASP Top 10,OWASP ASVS and CWE SANS Top 25 security standards, Security Report for SonarCloud™ gathers the list of vulnerabilities detected in your issues in SonarCloud™, letting you know the security level and compliance of the whole project in PDF reports.

This plugin (command line application) is bundled with PDF predefined reports that provide clear information about the security level of your project.

Generate OWASP TOP 10 PDF report from SonarCloud™

The OWASP Top 10 provides a list of the top ten most critical security risks that web application developers and organizations should be aware of and protect against. It is compiled and maintained by the Open Web Application Security Project (OWASP), an organization dedicated to improve web application security.

bitegarden Security Report for SonarCloud™ supports PDF generation for OWASP Top 10 2021 and OWASP Top 10 2017.

Generate CWE Top 25 PDF from SonarCloud™

The CWE Top 25 is intended to provide a common language and understanding of the most critical software security weaknesses, so that developers and organizations can prioritize their efforts to prevent and mitigate these risks.

It is compiled and maintained by the MITRE Corporation's Common Weakness Enumeration (CWE) project, which is a community-driven effort to identify and classify software security weaknesses.

bitegarden Security Report for SonarCloud™ supports PDF generation for CWE Top 25 2022, CWE Top 25 2021, CWE Top 25 2020 and CWE Top 25 2019.

Generate OWASP ASVS PDF report from SonarCloud™

The OWASP Application Security Verification Standard is a list of application security requirements or tests that can be used by architects, developers, testers, security professionals, tool vendors, and consumers to define, build, test and verify secure applications.

bitegarden Security Report for SonarCloud™ supports PDF generation for OWASP ASVS.

Generate ISO 5055 PDF report from SonarCloud™

ISO/IEC 5055:2021 is an ISO standard for measuring the internal structure of a software product on four business-critical factors: Security, Reliability, Performance Efficiency, and Maintainability. These are the factors that determine how trustworthy, dependable, and resilient a software system will be.

bitegarden Security Report for SonarCloud™ supports PDF generation for ISO/IEC 5055:2021.


Are you looking for security report generation for SonarQube™ on-premise edition? Check out bitegarden Security Plugin for SonarQube™.


owasp 2021 sample page


iso 5055 sample page


Main features include:

- Java Command Line Tool that can be used standalone or integrated into your CI/CD tool as a step to automatically generate the report.

- SonarCloud™ OWASP Top 10 in PDF to verify your code against the standard, including all the security metrics vulnerabilities.

- SonarCloud™ CWE Top 25 in PDF with to verify your code against the CWE Top 25 Most Dangerous Software Weaknesses.

Additional options

PDF generation includes additional customizations:

- Support for branches: generate PDF reports for any of your project branches.
- Support for all SonarCloud™ languages and technologies.
- Support for custom footer logo to add your organization logo.
- Support for english and spanish reports.


SonarCloud Security

Getting Started

bitegarden Security Report for SonarCloud™ requires Java 8 or later.

How to generate PDF security reports for projects in SonarCloud™

Here you have a quick usage guide to generate PDF security reports from SonarCloud™.

Once you have downloaded the product you will have an auto executable "jar" file.

Just put it anywhere in your filesystem and run the jar with --help option to see all the available options:

java -jar bitegarden-sonarcloud-security.jar --help

You will get something like this:

Mandatory properties:

                      sonar.token = your user security token to authenticate against SonarCloud.
                                    It is recommended to generate a new token for this app.
                 sonar.projectKey = the project key from SonarCloud. You can find it in SonarCloud project information
            sonar.organizationKey = the SonarCloud organization the project belongs to

          Optional properties:

                      report.type = owasp-top-10-2021 (default value)

                     sonar.branch = the branch where we will get the information for the report (default is main branch)
                       footer.url = URL of the image to display centered in footer (PNG or JPG format are supported)
                      user.locale = Locale to use for generated PDF file. Options are English (user.locale=en) or Spanish (user.locale=es)
                           output = File name for the generated report
            report.optional.label = Extra optional label (To display optional label, its required optional value too, else, it won't be rendered)
            report.optional.value = Description for the optional value
disable.iso5055.not.supported.cwe = If you want to show Not Supported CWE, change that option to false (default is true)


All the properties should be passed to the command line app using Java system properties with "-D" or using a custom properties file.

If you use a custom properties file you should run the application with the "config.file" parameter and provide the path to the properties file:

java -jar bitegarden-sonarcloud-security.jar

If you just want to pass the required parameters through system properties use "-D" arguments when running the report:

java -Dsonar.token=mytoken -Dsonar.projectKey=myprojectkey -Dsonar.organizationKey=myorg -Dreport.type=cwe-top-25-2021 -jar bitegarden-sonarcloud-security.jar

If a property is defined in both locations (file and command line args) the command line property will override the property in the file. This way you can have a generic configuration file with the common properties (sonar.token, sonar.organizationKey, report.type, ...) and then use command line args for specific properties like sonar.projectKey or sonar.branch.

Running the report with a license key

By default when you download the product you will be able to use it during 14 days. Once your evaluation is finished, you will need to purchase the product and get a valid license key.

The license key will be provided as a text file. In order to use this license file you must set the property "license.file" in your configuration file (or through command line args) with the path of your license file.

This is a sample running a licensed product using a command line argument:

java -Dlicense.file=PATH_TO_LICENSE_FILE -jar bitegarden-sonarcloud-security.jar

It is up to you to include the "license.file" property in your configuration file or use it as a command line argument with "-D".

Troubleshooting and Support

When you run the reports the product will display all the information for both the license and the configuration on the standard output. If you have any problem please open a support request in our customer portal and we will be happy to help you find a solution.

Request Support

Get your SonarCloud™ OWASP Top 10 and CWE Top 25 reports right now!

Free Trial

Evaluation license

  • 14 days evaluation license
  • After submitting the form your download will start including an embedded trial key