Login Start Free Trial Login Start Free Trial
 

Reports

The StackHawk Platform offers the following report types:

  • Scan Reports: If you want detailed information about a specific scan for a particular application in an environment, you can print a scan report.
  • Summary Scan Reports: If you want a high-level overview of the most recent scans for each application and environment in an organization, you can print a summary scan report.

Scan Reports

Scan reports present detailed information about a single scan run on a specific application in a particular environment.

A scan report includes the following details and information:

  • Organization: The organization the application belongs to.
  • Application: The application that was scanned.
  • Environment: The environment of the application that was scanned.
  • Scan Date: The month, day, year, and time (EDT) the scan was run.
  • Paths Scanned: The total number of HTTP paths that were scanned.
  • Scan Duration: The amount of time the scan took to run.
  • Table showing total number of HTTP paths for each criticality and status.

The scan report includes a Findings table with the following information about each finding type:

  • Criticality: The severity of the finding; can be high, medium, or low.
    • High: Findings with significant impact and likelihood of exploit.
    • Medium: Findings with moderate impact or ease of exploit.
    • Low: Findings that are informational and low-impact discoveries, as well as security suggestions.
  • Finding: The type of vulnerability that was found. For example, SQL Injection, Cross Site Scripting (Reflected), and Proxy Disclosure.

The number of findings for each of the following statuses in the StackHawk Platform:

  • New: The default, unprocessed, status.
  • Assigned: Findings with this status have been assigned for review and/or fix in whatever issue tracking tool your team uses.
  • Risk Accepted: Findings with this status are technically potential security bugs or risks, but for one reason or another, you elected to not fix them.
  • False Positive: Scan results may include findings that are actually false positives, and thus do not require a fix. These can be marked as false positives to quiet future noise.

The scan report includes a Findings Details section for every finding type included in the scan with the following details:

  • Criticality: The severity of the finding; can be high, medium, or low.
  • Category: The broad group of vulnerabilities this type of vulnerability belongs to. For example, HTTP Header Protection, Information Leakage, Input Sanitation, or HTTP Data Stream Protection.
  • Description: A description of the vulnerability including in some instances remediation steps.
  • Cheatsheet: A link or several links to more in-depth explanation of the vulnerability and remediation steps either in OWASP’s CheatSheetSeries repo on GitHub or on StackHawk’s blog.
  • Paths, method, and status: A table listing the HTTP paths with issues, the HTTP method, and the status in the StackHawk Platform - New, Assigned, Risk Accepted, or False Positive.

To print a Scan Report:

  1. Log in to the StackHawk Platform.
  2. Select the environment card for the application.
  3. Click the actions menu icon ( ) for the scan and select Print Scan Report.
  4. Use your browser’s print options to print the page(s).

OR

  1. Log in to the StackHawk Platform.
  2. Select the environment card for the application.
  3. Select the scan from the Scans page.
  4. Click Print Scan Report on the Scan Details page.

  5. Use your browser’s print options to print the page(s).

    NOTE: You can also download the scan report as a JSON file by clicking the download button ( ) on the Scan Details page.

Summary Scan Reports

Summary scan reports present a high-level overview of the most recent scans for each application and environment in an organization.

A Summary scan report includes the following details and information:

  • Organization: The organization the application belongs to.
  • Report Pulled on: The month, day, year and time (EDT) the Summary Scan Report was generated.
  • Latest Scans of: A list of the applications with the environments included in the Summary Scan Report.
  • Vulnerabilities by Applications and Environments: A table that lists each application with the environment and the total number of findings by criticality and status on the StackHawk Platform.

The Summary Scan Report includes the following details for the most recent scans for all applications/environments in the organization:

  • Application: The application that was scanned.
  • Environment: The environment of the application that was scanned.
  • Scan Date: The month, day, year, and time (EDT) the most recent scan was run.
  • Number of paths scanned: The total number of HTTP paths that were scanned.
  • Scan Duration: The amount of time the scan took to run.

  • Table showing total number of HTTP paths for each criticality and status.

  • Findings table with the following information for one application in an environment:
    • Criticality: The severity of the finding; can be high, medium, or low.
      • High: Findings with significant impact and likelihood of exploit.
      • Medium: Findings with moderate impact or ease of exploit.
      • Low: Findings that are informational and low-impact discoveries, as well as security suggestions.
    • Finding: The type of vulnerability that was found. For example, SQL Injection, Cross Site Scripting (Reflected), and Proxy Disclosure.

The number of findings for each of the following statuses in the StackHawk Platform:

  • New: The status of the vulnerability in the StackHawk Platform. By default, unprocessed findings are marked as New.
  • Assigned: Findings with this status have been assigned for review and/or fix in whatever issue tracking tool your team uses.
  • Risk Accepted: Findings with this status are technically potential security bugs or risks, but for one reason or another, you elected to not fix them.
  • False Positive: Scan results may include findings that are actually false positives, and thus do not require a fix. These can be marked as false positives to quiet future noise.

To print a Summary Scan Report:

  1. Log in to the StackHawk Platform.
  2. Click the Summary Scan Report button on the Applications page.