Docs/Admin Guide/Reports

Reports

The Reports page produces the two PDF artefacts an external auditor will most often ask for: an organization-wide Training Report, and a per-assignment Compliance Report. Both are generated on demand and downloaded directly from the admin UI; there is no scheduled-export flow today.

Where this lives

Sidebar → Reports under the Overview section. The page lives at /organization/reports and is gated by the org_admin role.

Training Report

The Training Report is a single PDF summarising your organization's secure-coding training posture at the moment of generation. It is the document you would attach to a compliance ticket for PCI DSS 6.2.2, ISO/IEC 27001 Annex A.8.28, SOC 2 CC1.4, or an enterprise vendor risk questionnaire that asks for "evidence that secure-coding training is in place".

Click Generate Training Report at the top of the Reports page. The backend assembles the document — header, organization metadata, aggregate completion counts, per-team breakdown, and an appendix of the top topics by completion and by gap — and returns the PDF as a download. The file is generated fresh on every request so the timestamp on the cover page matches the moment you pulled it.

Assignment Compliance Report

The Assignment Compliance Report scopes evidence down to a single assignment. It is the right artefact when an auditor asks for proof of a specific training cycle — for example, "show that every backend engineer completed the SQL Injection refresher you triggered after the Q3 pen test."

Pick the assignment from the dropdown on the Reports page, then click Generate Assignment Report. The PDF lists the assignment metadata (target, deadline, mandatory flag, assignee scope), every assignee with their current completion state and timestamp, and a per-user score summary where applicable. Overdue assignees are flagged in the table so the document doubles as a follow-up checklist.

Other evidence surfaces

Reports is not the only place evidence comes from. Two other admin pages also produce auditor-friendly exports:

  • Compliance generates per-framework evidence PDFs (PCI DSS, ISO 27001, SOC 2) backed by your actual coverage data.
  • Audit Log exports every administrator and API-key mutation in your organization as a CSV.

For machine-readable equivalents of the same data, every metric on these PDFs is also reachable from the public API — see API → Compliance and API → Audit Log.

Retaining reports

Reports captures the state at the moment of generation. If you regenerate the same report a month later you will see different numbers, because training activity in the intervening month will have shifted both the completion percentages and the per-team breakdown. For evidence packs you want to keep, download the PDF, hash it, and store it alongside the rest of your audit artefacts — the document does not change after download, so the hash is a deterministic record of what you sent to the auditor.