Compliance reports

The Compliance reports section includes the following reports:

CWE Top 10 KEV report

The CWE Top 10 KEV Weaknesses list identifies the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog, a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers.

The report is based on the version released in 2023 by Mitre. The supported products are Snyk Open Source, Snyk Container, and Snyk Code.

CWE Top 25 report

The CWE Top 25 Most Dangerous Software Weaknesses is a list that demonstrates the current most common and impactful software weaknesses based on Common Vulnerabilities and Exposures (CVEs) severity and their exploitation potential.

The report is based on the latest version released in 2023 by Mitre. The supported products are Snyk Open Source, Snyk Container, and Snyk Code.

OWASP Top 10 report

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks for web applications and is globally recognized by developers as the first step towards more secure coding.

Each control in the list (A1, A2, and so on) is based on a list of Common Weakness Enumerations (CWEs). For example, A01:2025 – Broken Access Control is based on a list of 34 CWEs.

The CWEs are mapped to Snyk-IDs (), which are mapped to issues.

For example, the critical vulnerability SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720 is classified as CWE-94, which is part of the OWASP TOP 10 A03:2025 - Injection. All the issues related to this vulnerability will be under the A03 category.

Learn more by using the OWASP TOP 10 Learning path on Snyk Learn.

The report is based on the latest mapping released in 2021. The supported products are Snyk Open Source, Snyk Container, and Snyk Code.

PCI-DSS v4.0.1 report

Release status

The PCI-DSS v4.0.1 report is in Early Access and available only with Enterprise plans.

PCI Security Standards are technical and operational requirements created by the PCI Security Standards Council (PCI SSC) to safeguard cardholder data. These standards apply to all entities that store, process, or transmit this information and include requirements for software developers and manufacturers. The Council manages these standards, while compliance is enforced by founding members: American Express, Discover Financial Services, JCB, MasterCard, and Visa Inc.

Snyk PCI-DSS v4.0.1 Report is designed to help you:

Estimate readiness for meeting the PCI-DSS AppSec requirements for SCA and SAST based on the Snyk scan results.
Provide evidence that the Organization is meeting the PCI-DSS AppSec requirements for SCA and SAST vulnerabilities.
Prioritize issues to improve PCI-DSS compliance readiness.

The report identifies PCI-DSS risks and violations based on the following PCI-DSS v4.0.1 requirements:

Requirement 6.2.4: Engineers use various techniques to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software. This includes but is not limited to the following methods:
- Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws.
- Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data.
- Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation.
- Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system or application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF).
- Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms or attempts to exploit weaknesses in the implementation of such mechanisms.
- Attacks using any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1.
Requirement 6.3.3: All system components are protected from known vulnerabilities by installing applicable security patches and updates as follows:
- Patches and updates for critical vulnerabilities, identified according to the risk ranking process at Requirement 6.3.1 are installed within one month of release.

Snyk Violation Analysis based on PCI-DSS attack categories

As the standard does not explicitly define specific CWEs or CVEs, Snyk provides an analysis based on leading CWEs associated with the named attack categories. Below are the CWEs categorized by attack type: