Skip to main content
Version: Current

Security Reporting

The PrimusSaaS.Security.Reporting package converts ScanResult into a multi-section branded report. The v2.4.9 HTML report matches every section of the SonarQube bitegarden Full Issues Breakdown Report and adds several sections with no SonarQube equivalent.

Quick Start

using Microsoft.Extensions.Logging;
using PrimusSaaS.Security;
using PrimusSaaS.Security.Core;
using PrimusSaaS.Security.Reporting.Formatters;
using PrimusSaaS.Security.Reporting.Services;

// Build scanner (logger, options, loggerFactory — in that order)
var lf = LoggerFactory.Create(b => b.AddConsole());
var options = new PrimusSecurityOptions
{
EnableStaticAnalysis = true,
EnableSecretDetection = true,
EnableDependencyScanning = true,
};
var scanner = new SecurityScanner(lf.CreateLogger<SecurityScanner>(), options, lf);
var result = await scanner.ScanAsync("/path/to/project");

var service = new ReportingService();
var report = await service.GenerateReportAsync(result, "My Project", "/path/to/project");

// HTML — 11-section branded report (returns byte[])
File.WriteAllBytes("security-report.html", HtmlFormatter.Export(report));

// SARIF 2.1.0 — GitHub Advanced Security / Azure DevOps (returns string)
File.WriteAllText("results.sarif", SarifExporter.ToJson(result));

Report Sections (v2.4.9)

#SectionSonarQube EquivalentStatus
CoverProject, branch, LOC, size rating, tech debt, ratings, quality gateSQ Page 1 cover
1Executive Summary — 8 stat cards + 2-column dashboardSQ Page 1
2Top Issues by Frequency — ranked with bar chartSQ Page 3
3Security Hotspots — by-rule breakdown + evidenceSQ Page 5
4.1All Findings — severity-sorted flat tableSQ Pages 6–103
4.2Findings Grouped by Rule — per-rule with description + fixSQ Pages 6–103
5Risk Heat Map by FileNone — Primus only
6Compliance Status — OWASP/PCI-DSS/HIPAA/SOC2/GDPRSQ Enterprise only
7Remediation & Triage — tech debt, patch coverage, suppressionNone
8Quality Gate EvaluationSQ quality gate
9RecommendationsNone
10Scan ConfigurationNone

Cover Page Fields

Every field SonarQube shows on its cover page is now present:

FieldSource
Lines of CodeCounted at scan time (non-blank, non-comment source lines)
Size RatingXS / S / M / L / XL bucket from LOC
BranchAuto-detected from .git/HEAD
Technical DebtCritical×60min + High×30min + Medium×10min + Low×5min
Security / Reliability / Maintainability ratingsA–E from ScanResult.Ratings
Bugs / Hotspots countSeparate counters in stat strip
Duplication %From CodeDuplicationScanner
Quality GatePASSED / FAILED with threshold violations

Per-Finding Detail

Each finding in Sections 4.1 and 4.2 renders:

  • Issue type badge — Vulnerability / Secret / Hotspot / Dependency
  • Rule description (italic) — the "What" explanation from the rule catalog
  • First-line fix guidance — from HowToFix catalog field
  • Inline code snippet — the vulnerable line with left-border highlight
  • CWE tag chip — e.g. CWE-89
  • OWASP category — A01:2021 – A10:2021
  • Taxonomy tags — e.g. injection, sql, database from catalog
  • Relative file pathControllers/UsersController.cs:42 (not absolute)
  • CVSS score — on CVE/dependency findings

Available Exporters

// HTML — full 11-section branded report
HtmlFormatter.Export(report)

// JSON — machine-readable ScanResult
JsonFormatter.Export(report)

// CSV — flat findings spreadsheet
CsvFormatter.Export(report)

// SARIF 2.1.0 — GitHub GHAS / Azure DevOps
SarifExporter.ToJson(scanResult)