Security Reporting
The PrimusSaaS.Security.Reporting package converts ScanResult into a multi-section branded report.
The v2.4.9 HTML report matches every section of the SonarQube bitegarden Full Issues Breakdown Report
and adds several sections with no SonarQube equivalent.
Quick Start
using Microsoft.Extensions.Logging;
using PrimusSaaS.Security;
using PrimusSaaS.Security.Core;
using PrimusSaaS.Security.Reporting.Formatters;
using PrimusSaaS.Security.Reporting.Services;
// Build scanner (logger, options, loggerFactory — in that order)
var lf = LoggerFactory.Create(b => b.AddConsole());
var options = new PrimusSecurityOptions
{
EnableStaticAnalysis = true,
EnableSecretDetection = true,
EnableDependencyScanning = true,
};
var scanner = new SecurityScanner(lf.CreateLogger<SecurityScanner>(), options, lf);
var result = await scanner.ScanAsync("/path/to/project");
var service = new ReportingService();
var report = await service.GenerateReportAsync(result, "My Project", "/path/to/project");
// HTML — 11-section branded report (returns byte[])
File.WriteAllBytes("security-report.html", HtmlFormatter.Export(report));
// SARIF 2.1.0 — GitHub Advanced Security / Azure DevOps (returns string)
File.WriteAllText("results.sarif", SarifExporter.ToJson(result));
Report Sections (v2.4.9)
| # | Section | SonarQube Equivalent | Status |
|---|---|---|---|
| Cover | Project, branch, LOC, size rating, tech debt, ratings, quality gate | SQ Page 1 cover | ✅ |
| 1 | Executive Summary — 8 stat cards + 2-column dashboard | SQ Page 1 | ✅ |
| 2 | Top Issues by Frequency — ranked with bar chart | SQ Page 3 | ✅ |
| 3 | Security Hotspots — by-rule breakdown + evidence | SQ Page 5 | ✅ |
| 4.1 | All Findings — severity-sorted flat table | SQ Pages 6–103 | ✅ |
| 4.2 | Findings Grouped by Rule — per-rule with description + fix | SQ Pages 6–103 | ✅ |
| 5 | Risk Heat Map by File | None — Primus only | ✅ |
| 6 | Compliance Status — OWASP/PCI-DSS/HIPAA/SOC2/GDPR | SQ Enterprise only | ✅ |
| 7 | Remediation & Triage — tech debt, patch coverage, suppression | None | ✅ |
| 8 | Quality Gate Evaluation | SQ quality gate | ✅ |
| 9 | Recommendations | None | ✅ |
| 10 | Scan Configuration | None | ✅ |
Cover Page Fields
Every field SonarQube shows on its cover page is now present:
| Field | Source |
|---|---|
| Lines of Code | Counted at scan time (non-blank, non-comment source lines) |
| Size Rating | XS / S / M / L / XL bucket from LOC |
| Branch | Auto-detected from .git/HEAD |
| Technical Debt | Critical×60min + High×30min + Medium×10min + Low×5min |
| Security / Reliability / Maintainability ratings | A–E from ScanResult.Ratings |
| Bugs / Hotspots count | Separate counters in stat strip |
| Duplication % | From CodeDuplicationScanner |
| Quality Gate | PASSED / FAILED with threshold violations |
Per-Finding Detail
Each finding in Sections 4.1 and 4.2 renders:
- Issue type badge — Vulnerability / Secret / Hotspot / Dependency
- Rule description (italic) — the "What" explanation from the rule catalog
- First-line fix guidance — from
HowToFixcatalog field - Inline code snippet — the vulnerable line with left-border highlight
- CWE tag chip — e.g.
CWE-89 - OWASP category — A01:2021 – A10:2021
- Taxonomy tags — e.g.
injection,sql,databasefrom catalog - Relative file path —
Controllers/UsersController.cs:42(not absolute) - CVSS score — on CVE/dependency findings
Available Exporters
// HTML — full 11-section branded report
HtmlFormatter.Export(report)
// JSON — machine-readable ScanResult
JsonFormatter.Export(report)
// CSV — flat findings spreadsheet
CsvFormatter.Export(report)
// SARIF 2.1.0 — GitHub GHAS / Azure DevOps
SarifExporter.ToJson(scanResult)