My company uses multiple tools for vulnerability scanning. We have Nessus Pro for network scanning, White Source Bolt and GitHub Dependabot for dependencies, and SonarQube for source codes, and Burp Suite Pro for web applications. These make us very complicated when clients or my executives or internal auditors asks us to provide the evidence of How efficient we conduct the vulnerability scanning. The efficiency evidences, not about only provide the Policy & Procedure for paperwork. Initial, We expect to have the vulnerability reports store on Google Drive by the respective periodical, Folders organize by year-month. For example, network vulnerability reports by monthly, application vulnerability reports by release. I assume all vulnerabilities were remediated through a defined set of Policy & Procedure with the remediation verification report.
So the question is How to manage my vulnerability scan reports efficiently. We are not a business just says yes or no when asked about security.