Security Analyzer in VS Code extension

Last update:

May 18, 2026

Find and fix common security flaws in ColdFusion code while you write it, using vulnerability detection inside Visual Studio Code.

Security Analyzer is a built-in feature of Adobe ColdFusion 2025.0.08 that scans your application for known vulnerability patterns. It reports findings with severity levels and suggested fixes, and it integrates with the ColdFusion Builder extension for Visual Studio Code for real-time feedback during development.

The 2025.0.08 release adds new vulnerability detection rules, improves analysis accuracy, works to reduce false positives, and provides a more responsive experience in the extension. Some findings still require human review.

What Security Analyzer detects

Web applications face a wide range of security risks. Security Analyzer flags the following categories during a scan:

Injection attacks, including SQL, NoSQL, LDAP, XPath, command, and template injection.
Cross-site scripting from unescaped user input rendered in HTML.
Cryptographic weaknesses, such as weak algorithms, hardcoded keys, or plaintext storage.
File and path vulnerabilities, including traversal and unsafe file inclusion.
Authentication and session-handling issues, such as trusting client-supplied state.

Manual review for these issues is slow and error-prone. Security Analyzer automates the detection so you can focus on fixing the code.

Audiences and use cases

The following table shows who uses Security Analyzer and how:

Security Analyzer supports four primary audiences, with DevOps teams using the RDS endpoint until a dedicated CLI ships.
Audience	Use case
Development teams	Get real-time security feedback while coding in Visual Studio Code.
DevOps teams	Run scripted scans against the RDS endpoint that the extension uses. Requires the Developer profile, valid RDS credentials, and network access to the server.
Security auditors	Run a full security analysis before a production deployment.
Compliance teams	Generate security assessment reports in HTML, JSON, CSV, or PDF for audits.

Requirements

Confirm each item before you run a scan:

ColdFusion version: ColdFusion 2025.0.08 or later.
License: All editions, including Developer, Standard, and Enterprise.
Server profile: Developer profile only. Production and Production Secure are not supported.
Integrated development environment: ColdFusion Builder extension for Visual Studio Code. ColdFusion Builder standalone reached end of life on October 1, 2024.

Note: Security Analyzer does not work with the default local server. Configure your project to use a ColdFusion server with the Developer profile.

Set up the extension

Install and configure the extension once before you run any scan:

Install the ColdFusion Builder extension from the Visual Studio Code marketplace.
Open or create a ColdFusion project.
Right-click the project and choose Properties to confirm the project points to a ColdFusion server with the Developer profile.

Run a scan on a project or file

In the activity bar, select the ColdFusion icon to open your projects.
Right-click the project folder, or right-click a single .cfm or .cfc file in the Project Manager.
Choose Security AnalyzerRun Security Analyzer.
Wait for the scan to finish. A dialog appears when the scan completes.
Select OK to open the results in the Security Analyzer view.

Security Analyzer menu options

The following table summarizes the actions available from the Security Analyzer submenu:

Use Clean Run Security Analyzer to re-evaluate findings you previously chose to ignore.
Option	Description
Run Security Analyzer	Analyzes the selected code and displays vulnerabilities.
Clean Run Security Analyzer	Resets the ignored state of all previously ignored findings, then runs a fresh scan.
Cancel Run Security Analyzer	Stops the current scan.
Clear Security Markers	Removes all security markers and warnings from the editor.

Review and resolve findings

After a scan completes, work through each finding:

Open the Security Issues view to see the list.
Filter by File name, Attack name, Severity, or Type.
Double-click a finding to jump to the file and line in the editor.
Read the problem statement and suggested fix in the inline detail panel.
Update the code to apply the fix.
Right-click the finding and choose Mark as Fixed or Mark as Ignored.

Note: If you choose Mark as Fixed but do not change the code, the server reports the finding again on the next scan. Choose Mark as Ignored only when you intentionally accept the risk.

Re-evaluate ignored findings

Run a clean scan when you want previously ignored findings to surface again:

Right-click the project folder.
Choose Security AnalyzerClean Run Security Analyzer.
Review each finding that returns and decide whether to fix it or keep it ignored.

Export a report

Export results to share with auditors or to attach to a build pipeline:

Run a scan and review the results.
Select Export in the Security Analyzer toolbar.
Choose a format. Security Analyzer supports HTML, JSON, CSV, PDF, or Excel format. Use JSON or CSV to integrate with vulnerability tracking systems and continuous integration pipelines. Use HTML or PDF to share reports with auditors or stakeholders.
Open the report. The report contains a summary, charts, a findings list, and an appendix.

The Security Analyzer view

The Security Analyzer view in the extension uses a top-to-bottom layout, with a header bar, summary cards, charts, a filter bar, and an issues table.

The header bar appears at the top of the view. It shows the project name, the scan timestamp, and the Export action.

A row of summary cards shows scan totals at a glance. Select any card to apply it as a filter on the issues table:

Selecting a severity card narrows the issues table without resetting other filters.
Card	Behavior
All issues	Shows the total number of findings and clears any active card filter.
High severity	Filters the issues table to High severity findings only.
Medium severity	Filters the issues table to Medium severity findings only.
Low severity	Filters the issues table to Low severity findings only.

Donut charts summarize the issue mix by Status, Issue type, Severity level, and Attack type. Each chart segment is selectable and applies the matching filter to the issues table.

The filter bar narrows the issues table by File name, Attack name, Severity, and Type. Filters combine, and Clear filters resets them.

The issues table lists every finding the scan returned. Each row shows the file, line, attack name, severity, and status. Selecting a row opens the inline detail panel with the problem statement and the suggested fix. Selecting the row again opens the file in the editor at the offending line.

Severity levels

Security Analyzer assigns each finding one of three severity levels:

Treat severity as a fix-order signal, not a permission to defer high-severity findings.
Severity	Description
High	Critical vulnerability that you should fix immediately.
Medium	Significant risk that you should fix before production.
Low	Minor or contextual risk to review and fix when possible.

Issue types

Errors are confirmed rule violations, while warnings need context to confirm.
Type	Description
Error	Direct vulnerability that violates security rules.
Warning	Potential issue that requires context to confirm.

Encoding functions for safe output

Use these built-in functions to sanitize user input for the matching output context:

Always encode for the destination context, not the source context.
Function	Use for
`encodeForHTML()`	HTML content.
`encodeForHTMLAttribute()`	HTML attribute values.
`encodeForJavaScript()`	JavaScript strings.
`encodeForCSS()`	CSS values.
`encodeForURL()`	URL parameters.
`encodeForLDAP()`	LDAP search filters.
`encodeForXPath()`	XPath expressions.
`encodeForXML()`	XML content.

Vulnerability categories

The complete, authoritative rule inventory lives in codeanalyzerrules.json on the server. The lists below group those rules by category for orientation.

These rules ship in every supported ColdFusion 2025.x release.
Vulnerability	Description
SQL Injection	Unvalidated user input in SQL queries.
XSS Attack	Cross-site scripting from unescaped output.
PDF XSS Attack	Cross-site scripting in PDF generation.
CSRF Attack	Cross-site request forgery.
CFLocation Validation	Unsafe redirects with `cflocation`.
Cookies Validation	Insecure cookie handling.
Passwords	Weak password handling or storage.
File Upload Validation	Unsafe file upload handling.
Get vs Post	Sensitive data sent over a GET request.
File Injection	Path traversal or unsafe file inclusion.
Unnamed Application	Application scope without a name attribute.
XML Security	Unsafe XML parsing, including external entity expansion.
Cryptography	Weak algorithms, hardcoded keys, or plaintext storage.

The 2025.0.08 release adds eight new vulnerability detection categories.
Vulnerability	Description
NoSQL Injection	User input in MongoDB operations without validation.
Command Injection	User input in `cfexecute` or in calls through `Runtime.exec()` and `ProcessBuilder`.
LDAP Injection	User input in LDAP queries without encoding.
XPath Injection	User input in XPath queries without validation.
Template Injection	User input in `evaluate()`, `de()`, `cfinclude`, `cfmodule`, or Java `ScriptEngine.eval()`.
JavaScript Injection	DOM-based cross-site scripting, `eval()` use, and unsafe event handlers.
Advanced File Security	Path traversal, zip extraction, or unsafe file operations.
Authentication and Session Handling	Unsafe session lifecycle, weak credential checks, or trust of client state.
XML security	XML External Entity (XXE) injection is an attack where malicious XML input tricks the parser into exposing sensitive server files or making unauthorized network requests by abusing the XML external entity feature.
Cryptography	Flags the use of weak or outdated encryption algorithms in your code and recommends stronger alternatives to protect sensitive data.
Unscoped variables	Unscoped variables in ColdFusion Security Analyzer flags variables that are used without an explicit scope prefix (such as `variables.`, `form.`, or `url.`).

Note: API security rules and business logic rules are on the Security Analyzer roadmap. They are not implemented in ColdFusion 2025.0.08.

Rule reference

The following table lists every rule that ships in ColdFusion 2025.0.08, with the rule name as it appears in codeanalyzerrules.json and its default severity. To enable or disable a rule, set "enabled": true or "enabled": false on the matching entry in the rules file.

Each row maps a rule name in the rules file to the vulnerability category and default severity.
Rule name	Title	Default severity
`sqlinjection`	SQL Injection	High
`xss`	XSS Attack	High
`pdfxss`	PDF XSS Attack	High
`csrf`	CSRF Attack	High
`cflocation`	CFLocation Validation	Medium
`cookies`	Cookies Validation	Medium
`passwords`	Passwords	High
`fileupload`	File Upload Validation	High
`getvspost`	Get vs Post	Medium
`fileinjection`	File Injection	High
`unnamedapp`	Unnamed Application	Low
`xmlsecurity`	XML Security	High
`cryptography`	Cryptography	High
`nosqlinjection`	NoSQL Injection	High
`commandinjection`	Command Injection	High
`ldapinjection`	LDAP Injection	High
`xpathinjection`	XPath Injection	High
`templateinjection`	Template Injection	High
`javascriptinjection`	JavaScript Injection	High
`advancedfilesecurity`	Advanced File Security	High
`authsession`	Authentication and Session Handling	High
`unscopedvariable`	Unscoped Variables	Medium

Fix a NoSQL injection

The vulnerable pattern passes user input directly into a MongoDB query:

<cfscript>

  // Mongo service obtained via createObject and the Mongo Java driver

  results = mongoService.find(

    collection = "users",

    query      = { "username": form.searchTerm }

  );

</cfscript>

The safe pattern validates the input and passes it as a typed string:

<cfscript>

  if (isValid("regex", form.searchTerm, "^[a-zA-Z0-9\s\-_]+$")) {

    results = mongoService.find(

      collection = "users",

      query      = { "username": toString(form.searchTerm) }

    );

  } else {

    throw(type = "InvalidInput", message = "Invalid search term");

  }

</cfscript>

Fix a command injection

The vulnerable pattern passes user input to cfexecute:

<cfexecute name="#form.command#" arguments="#form.args#" variable="output">

The safe pattern resolves the command from a server-side allowlist, validates any arguments against a strict regular expression, and runs the command with a timeout:

<cfscript>

  allowedCommands = ["ls", "pwd", "whoami"];

  cmdIndex        = arrayFindNoCase(allowedCommands, form.command);

  if (cmdIndex GT 0

      AND isValid("regex", form.args, "^[a-zA-Z0-9\-_/\.]*$")) {

    safeCommand = allowedCommands[cmdIndex];

    safeArgs    = form.args;

  } else {

    throw(type = "InvalidCommand", message = "Command or arguments not allowed");

  }

</cfscript>

<cfexecute name="#safeCommand#"

           arguments="#safeArgs#"

           variable="output"

           timeout="10" />

Fix an LDAP injection

The vulnerable pattern flows user input directly into an LDAP filter:

<cfscript>

  users = ldapSearch(

    attributes = "cn,mail",

    filter     = "(&(objectClass=person)(cn=*#form.username#*))"

  );

</cfscript>

The safe pattern encodes the input with encodeForLDAP():

<cfscript>

  users = ldapSearch(

    attributes = "cn,mail",

    filter     = "(&(objectClass=person)(cn=*#encodeForLDAP(form.username)#*))"

  );

</cfscript>

Fix an XPath injection

The vulnerable pattern concatenates user input into an XPath expression:

<cfscript>

  results = xmlSearch(xmlDoc, "//user[@id='#form.userId#']");

</cfscript>

The safe pattern encodes the input with encodeForXPath():

<cfscript>

  results = xmlSearch(xmlDoc, "//user[@id='#encodeForXPath(form.userId)#']");

</cfscript>

Fix a template injection

The vulnerable pattern lets user input drive dynamic code execution or a cfinclude path:

<cfscript>

  result = evaluate("#form.expression#");

  include "#form.templatePath#";

</cfscript>

The safe pattern validates against an allowlist and uses fixed paths. Replace evaluate() with a switch over expected values whenever possible. The same allowlist rule applies to Java-side script evaluation through ScriptEngine.eval():

<cfscript>

  allowedExpressions = ["math.pi", "now()", "dateFormat(now())"];

  if (arrayFind(allowedExpressions, form.expression)) {

    result = evaluate("#form.expression#");

  }

  include "includes/safe_template.cfm";

</cfscript>

Fix cryptography and data protection issues

The vulnerable pattern uses weak algorithms to hash sensitive data:

<cfscript>

  passwordHash = hash(form.password, "MD5");

  dataHash     = hash(form.data, "SHA-1");

</cfscript>

The safe pattern uses SHA-256 for general integrity hashing, and a slow, salted, work-factored key derivation function for passwords. The variable passwordHash holds the PBKDF2 output and is the value stored in the database:

<cfscript>

  // SHA-256 is appropriate for non-password integrity hashing.

  dataHash = hash(form.data, "SHA-256");

  // For passwords, use bcrypt, scrypt, Argon2, or PBKDF2 with a per-user salt

  // and a high iteration count. Never use raw SHA-256 for passwords.

  salt         = generateSecretKey("AES");

  iterations   = 100000;

  passwordHash = generatePBKDFKey("PBKDF2WithHmacSHA512",

                                  form.password, salt, iterations, 256);

</cfscript>

The vulnerable pattern below uses a hardcoded key to encrypt data and stores a plaintext password in the database:

<cfquery name="storeData" datasource="#dsn#">

  INSERT INTO users (password, creditcard)

  VALUES ('#form.password#', '#form.creditCard#')

</cfquery>

The safe pattern reads the encryption key from the environment, hashes the password with PBKDF2 (stored in passwordHash), and uses parameterized queries:

<cfscript>

  // Read the encryption key from the OS environment, not from source.

  systemObj     = createObject("java", "java.lang.System");

  encryptionKey = systemObj.getenv("ENCRYPTION_KEY");

  // Derive a storable password hash using PBKDF2.

  salt         = generateSecretKey("AES");

  iterations   = 100000;

  passwordHash = generatePBKDFKey("PBKDF2WithHmacSHA512",

                                  form.password, salt, iterations, 256);

  encryptedCreditCard = encrypt(form.creditCard, encryptionKey, "AES", "Base64");

</cfscript>

<cfquery name="storeEncryptedData" datasource="#dsn#">

  INSERT INTO users (password_hash, encrypted_creditcard)

  VALUES (

    <cfqueryparam value="#passwordHash#"        cfsqltype="cf_sql_varchar">,

    <cfqueryparam value="#encryptedCreditCard#" cfsqltype="cf_sql_varchar">

  )

</cfquery>

Note: Always use cfqueryparam for user input in SQL queries to prevent SQL injection.

Fix JavaScript and DOM-based cross-site scripting

The vulnerable pattern places user input in event handlers or in script content:

<div onclick="#form.action#">Click me</div>

<script>#form.scriptCode#</script>

<a href="#form.url#">Link</a>

The safe pattern avoids user input in event handlers and encodes for the correct context elsewhere:

<div onclick="safeFunction()">Click me</div>

<script>

  var userInput = "#encodeForJavaScript(form.input)#";

</script>

<a href="#encodeForHTMLAttribute(form.url)#">Link</a>

Fix advanced file security issues

The vulnerable pattern lets user input drive file paths, directory listings, or cfinclude:

<cffile action="read" file="#form.filePath#">

<cfdirectory action="list" directory="#url.directoryPath#">

<cfinclude template="#form.templatePath#">

The safe pattern resolves the canonical path before any comparison. A naive startsWith check on the raw input does not stop traversal, because the path /var/www/uploads/../../etc/passwd still starts with /var/www/uploads/. Verify the canonical path falls inside the canonical base directory and apply a filename allowlist:

<cfscript>

  safeBasePath  = "/var/www/uploads/";

  baseFile      = createObject("java", "java.io.File").init(safeBasePath);

  canonicalBase = baseFile.getCanonicalPath() & "/";

  requestedFile      = createObject("java", "java.io.File").init(safeBasePath, form.filePath);

  canonicalRequested = requestedFile.getCanonicalPath();

  if (canonicalRequested.startsWith(canonicalBase)

      AND reFind("^[a-zA-Z0-9_\-\.]+$", requestedFile.getName())) {

    fileContent = fileRead(canonicalRequested);

  } else {

    throw(type = "InvalidPath", message = "File path is outside the allowed directory");

  }

</cfscript>

<cfinclude template="includes/safe_template.cfm">

Fix authentication and session handling issues

The vulnerable pattern illustrates two anti-patterns to avoid. In the first, the role is read from a form field, so the caller can claim any role. In the second, a session identifier is taken from the URL parameter, which is a session-fixation vector. Note that sessionInvalidate() does not accept a session identifier argument; calling it this way reflects an incorrect assumption about the API signature:

<cfscript>

  // ANTI-PATTERN: Role taken from a form field — caller can claim any role.

  if (form.userRole EQ "admin") {

    showAdminPanel();

  }

  // ANTI-PATTERN: Session id supplied by the URL — a session-fixation vector.

  // Note: sessionInvalidate() does not accept a parameter; this pattern is

  // shown to illustrate the mistake, not as a callable example.

  sessionInvalidate(url.sessionId);

</cfscript>

The safe pattern uses cflogin and cfloginuser to authenticate the user, stores roles in server-side session state, and rotates or invalidates sessions through the official ColdFusion APIs. Replace the placeholder calls with your application's credential-verification query and role-lookup query:

<cflogin>

  <cfif IsDefined("cflogin")>

    <!--- Implement login: query your users table and verify the password hash. --->

    <cfquery name="qUser" datasource="#dsn#">

      SELECT password_hash, roles

      FROM   users

      WHERE  username = <cfqueryparam value="#cflogin.name#" cfsqltype="cf_sql_varchar">

    </cfquery>

    <cfif qUser.recordCount EQ 1

          AND verifyPasswordHash(cflogin.password, qUser.password_hash)>

      <!--- Store roles from the database, not from the request. --->

      <cfloginuser name="#cflogin.name#"

                   password="#cflogin.password#"

                   roles="#qUser.roles#">

      <cfset sessionRotate()>

    </cfif>

  </cfif>

</cflogin>

<cfscript>

  if (session.authenticated AND listFindNoCase(session.userRoles, "admin")) {

    showAdminPanel();

  }

  function logout() {

    sessionInvalidate();

  }

</cfscript>

Note: verifyPasswordHash() in the example above represents your application's password-verification logic (for example, a bcrypt or PBKDF2 comparison). It is not a ColdFusion built-in function.

Fix unscoped variable references

In the vulnerable pattern, a function-local intent declared with var is referenced unscoped. The reference resolves to whichever scope holds a matching name first, which may be form, url, or another caller-controlled scope:

<cfscript>

  function checkAccess() {

    var isAdmin = session.userRole EQ "admin";

    // The unscoped reference may pick up form.isAdmin from the request.

    if (isAdmin) {

      doSensitiveOperation();

    }

  }

</cfscript>

The safe pattern uses the local scope on both the declaration and the reference, so the lookup cannot fall through to a caller-controlled scope:

<cfscript>

  function checkAccess() {

    local.isAdmin = session.userRole EQ "admin";

    if (local.isAdmin) {

      doSensitiveOperation();

    }

  }

</cfscript>

Adjust the RDS timeout

For large projects, Security Analyzer needs more time. Increase the RDS timeout that the extension uses to reach the analyzer:

In Visual Studio Code, open the Command Palette with Ctrl+Shift+P on Windows, or Cmd+Shift+P on macOS.
Run the ColdFusion: Open RDS Configuration command.
Select the server you scan against.
Set Security Analyzer timeout to a value that covers a full-project scan of your largest project. The default is 30 seconds.
Save and run the scan again.

Locate the rules file

Security Analyzer rules and per-rule enablement live in codeanalyzerrules.json under your ColdFusion install directory:

The rules file lives at the same relative path on all three operating systems.
Operating system	Path
Windows	C:\ColdFusion2025\cfusion\lib\securityanalyzer\codeanalyzerrules.json
Linux	/opt/coldfusion2025/cfusion/lib/securityanalyzer/codeanalyzerrules.json
macOS	/Applications/ColdFusion2025/cfusion/lib/securityanalyzer/codeanalyzerrules.json

Enable or disable a rule

Edit the rules file when you want to turn an individual rule on or off:

Open codeanalyzerrules.json in a text editor.
Find the rule entry by its name field.
Set "enabled": true to enable the rule, or "enabled": false to disable it.
Save the file. The change takes effect on the next scan.

A rule entry looks like this:

{

  "name": "sqlinjection",

  "enabled": true,

  "severity": "high"

}

Caution: Prefer excluding directories such as vendor/ or non-CFML extensions. Excluding .cfc files hides component-level CFML, which is a large part of most ColdFusion applications.

Allow extension access to the server

If the extension cannot reach the server, complete the following checks:

Internet Information Services: Configure a virtual directory for /CFIDE and confirm that uriworkermap.properties does not block /CFIDE/*. Apply this only on development servers. Do not expose /CFIDE on production servers.
Firewall: Allow access to port 8500 or your custom ColdFusion port on the developer network if the firewall blocks it.

How Security Analyzer works

The scan flows through the following stages:

Security Analyzer runs as a service on the ColdFusion server. The Visual Studio Code extension reaches the service over the RDS channel. RDS is the transport, and the analyzer is the service behind it.
The extension sends the selected files or project to the server for analysis.
The server parses the CFML, applies the security rules, and returns findings.
The extension shows results in the Security Issues view with severity, type, and the suggested fix.
You mark each finding as Fixed or Ignored, and you export results to HTML, JSON, CSV, or PDF.

Best practices

Adopt these habits to get the most value from Security Analyzer:

Run Security Analyzer regularly during development, not only before a release.
Fix High severity findings first.
Run Clean Run Security Analyzer on a regular cadence to re-evaluate ignored findings.
Export reports for audit trails and compliance documentation.
Use cfqueryparam for all user input in SQL queries.
Use the encoding functions for the matching output context.
Avoid weak algorithms such as MD5, SHA-1, and DES for sensitive data.
Use bcrypt, scrypt, Argon2, or PBKDF2 with a salt and a high iteration count for passwords.
Validate and sanitize all user input before it reaches a query, command, or template.
Always scope variables explicitly with local, variables, or session in both the declaration and the reference.

Troubleshoot common scan problems

The following table lists common scan problems and the action that resolves each one:

Sub-folder scans resolve most slow-scan reports on projects of 30,000 files or more.
Issue	Action
Security Analyzer does not start	Confirm the project points to a ColdFusion server with the Developer profile.
Scan times out	Increase the RDS timeout in the extension settings.
No findings appear	Confirm that the project contains CFML files and is not empty.
Scan is slow on large projects	Run Security Analyzer on logical sub-folders or modules first, then widen the scope. As a secondary step, increase the JVM max heap if the server log shows skipped files because of memory limits.
Findings look incorrect	Review the context of each finding. Some findings remain false positives despite the accuracy improvements in this release. Choose Mark as Ignored when appropriate.

Standalone command-line tool

A standalone command-line Security Analyzer tool is on the roadmap for a future release. The planned tool supports continuous integration pipelines, scanning without an integrated development environment, multiple output formats including SARIF, and configurable rules and severity thresholds.

The following examples show planned command-line use:

# Basic use

cf-security-analyzer /path/to/coldfusion/app

# With a configuration file

cf-security-analyzer --config security-config.json --output html --severity high

# Pipeline integration

cf-security-analyzer --fail-on-issues --output sarif --format html

The following table shows planned configuration options:

The planned options match the inputs that the in-product configuration already supports.
Option	Description
`ignorePaths`	Paths to exclude, for example vendor/ or node_modules/.
`ignoreExtensions`	File extensions to skip, for example min.js or min.css.
`ignoreScanners`	Specific rules to disable.
`minSeverity`	Minimum severity to report.
`includeScanners`	Rules to run when you restrict the scope.
`outputFormats`	Output formats, including HTML, JSON, PDF, and SARIF.
`failOnIssues`	Exit with an error code when the scan finds issues.

Until the command-line tool ships, run scripted scans against the RDS endpoint that the extension uses. The scripted approach requires the Developer profile, valid RDS credentials, and network access to the server.

Exported report layout

The exported HTML or PDF report is a multi-section document with the following parts:

Summary: Total findings and a breakdown by severity and status.
Charts: A pie chart by severity and a bar chart by attack type. The exported report renders these as pie and bar charts. The view inside the extension renders the same data as donut charts.
Findings list: A static list of every finding, with file, line, attack name, severity, and status. The interactive issues table inside the extension covers the same data.
Appendix: An encoding-function reference and remediation guidance.

JSON and CSV exports contain the findings list data only, suitable for downstream tools.

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature