Key Trends
Security Score Trend
Track overall security health over time
Violation Trends
Monitor violation counts by severity and type
Fix Velocity
Measure how quickly issues are resolved
Regression Analysis
Identify reintroduced vulnerabilities
Security Score Trend
Track your security score over time to measure improvement: Positive indicators:- ✅ Steadily increasing score
- ✅ Consistent maintenance at high levels
- ✅ Recovery after incidents
- ⚠️ Declining score
- ⚠️ Flat score with increasing violations
- ⚠️ Volatile score (instability)
Violation Trends
By Severity
Track violations over time by severity:- Critical: Should trend to zero
- High: Downward trend expected
- Medium/Low: Manageable levels
By Type
Monitor scan type distribution:- SAST: Code quality indicator
- SCA: Dependency health
- Secrets: Process maturity
- IaC: Infrastructure security
New vs Fixed
Compare new violations introduced vs violations fixed:- Positive: More fixed than introduced
- Neutral: Equal rates
- Negative: More introduced than fixed
Fix Velocity Metrics
Mean Time to Remediation (MTTR)
Average time from violation discovery to fix:- Critical: Target <24 hours
- High: Target <7 days
- Medium: Target <30 days
- Low: Target <90 days
Fix Rate
Percentage of violations fixed per time period: Good: >80% of violations fixed within SLA Improving: Fix rate increasing over time Concerning: <50% fix rate or decliningBacklog
Count of open violations aging:- Current: <30 days old
- Aging: 30-90 days old
- Stale: >90 days old
Regression Analysis
Track reintroduced vulnerabilities: Regression rate: Percentage of fixed violations that reappear Target: <5% regression rate Causes of regressions:- Lack of understanding of the fix
- Copy-paste from vulnerable code
- Framework/library updates
- Incomplete fixes
Repository Comparison
Compare security metrics across repositories: Best performers: Highlight for recognition Needs attention: Focus improvement efforts Trend comparison: Which repos improving/decliningTeam Performance
By Team
Track metrics by team:- Violations assigned
- Fix velocity
- Regression rate
- Security score contribution
By Individual
Individual contributor metrics:- Violations introduced
- Violations fixed
- Average fix time
- Code security quality
Use individual metrics for coaching and improvement, not punishment. Foster a blameless security culture.
Compliance Metrics
Track compliance-relevant metrics:- Time to remediation for Critical/High
- Open violations by age
- Audit log completeness
- Access review compliance
Exporting Analytics
Export trend data for external analysis:- Reports → Analytics Export
- Choose metrics and time range
- Select format (CSV, JSON)
- Download
- Business intelligence tools
- Custom dashboards
- Executive presentations
- Compliance documentation
Setting Goals
Use trends to set data-driven security goals: Example Goals:- Reduce Critical violations to zero by Q2
- Maintain security score above 85
- Achieve <48h MTTR for Critical issues
- Reduce regression rate below 5%
- Scan 100% of PRs before merge