opencode-api-security-testing 5.0.0 → 5.2.0

package/SKILL.md

@@ -69,6 +69,12 @@ tools:
   - name: report_generator
     description: "Compile evidence-based security report."
     usage: "During 报告 to generate deliverables."
+  - name: endpoint_discover
+    description: "Auto-discover API endpoints from JS, HTML, sitemap, robots.txt, and common paths."
+    usage: "During 侦察 to automatically map the attack surface without manual input."
+  - name: env_checker
+    description: "Auto-detect and install missing dependencies (Python, pip, Playwright, etc.)."
+    usage: "Runs automatically during postinstall; can be triggered manually to fix environment issues."
 notes:
   - "All tools must be used within their defined phases; avoid cross-phase misuse."
   - "Preserve evidence with timestamps; ensure traceability for audits."

package/agents/api-cyber-supervisor.md

@@ -31,6 +31,7 @@ color: "#FF5733"
 
 | 工具 | 用途 | 场景 |
 |------|------|------|
+| endpoint_discover | 端点自动发现 | 从 JS/HTML/Sitemap 提取 |
 | api_security_scan | 完整扫描 | 全面测试 |
 | api_fuzz_test | 模糊测试 | 发现未知端点 |
 | browser_collect | 浏览器采集 | SPA 应用 |
@@ -40,13 +41,14 @@ color: "#FF5733"
 | cloud_storage_test | 云存储测试 | OSS/S3 |
 | idor_test | IDOR 测试 | 越权漏洞 |
 | sqli_test | SQLi 测试 | 注入漏洞 |
+| report_generate | 报告生成 | Markdown/HTML/JSON 格式 |
 
 ## 测试流程
 
 ### Phase 1: 侦察
-1. browser_collect 采集动态端点
-2. js_parse 分析 JS 文件
-3. url_discover 发现隐藏端点
+1. endpoint_discover 自动发现所有 API 端点
+2. browser_collect 采集动态端点
+3. js_parse 分析 JS 文件
 
 ### Phase 2: 分析
 1. 识别技术栈

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-api-security-testing",
-  "version": "5.0.0",
+  "version": "5.2.0",
   "description": "API Security Testing Plugin for OpenCode - Automated vulnerability scanning and penetration testing",
   "type": "module",
   "main": "src/index.ts",

package/postinstall.mjs

@@ -1,3 +1,5 @@
+#!/usr/bin/env node
+
 /**
  * postinstall.mjs - API Security Testing Plugin
  * 
@@ -5,11 +7,14 @@
  * 1. agents to ~/.claude/agents/ (oh-my-opencode discovery path)
  * 2. agents to ~/.config/opencode/agents/ (OpenCode native discovery path)
  * 3. SKILL.md and references to ~/.config/opencode/skills/api-security-testing/
+ * 4. Auto-detects and installs Python dependencies (requests, beautifulsoup4, playwright)
  */
 
-import { copyFileSync, existsSync, mkdirSync, readdirSync } from "node:fs";
+import { copyFileSync, existsSync, mkdirSync, readdirSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
 import { fileURLToPath } from "node:url";
+import { execSync } from "node:child_process";
+import { platform } from "node:os";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = join(__filename, "..");
@@ -47,6 +52,167 @@ function copyDirRecursive(src, dest) {
   return count;
 }
 
+/**
+ * Run shell command safely
+ */
+function runCommand(cmd, timeout = 30000) {
+  try {
+    const output = execSync(cmd, { 
+      encoding: "utf-8", 
+      timeout,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    return { success: true, output: output.trim(), error: "" };
+  } catch (error) {
+    return { 
+      success: false, 
+      output: error.stdout || "", 
+      error: error.stderr || error.message || "Unknown error" 
+    };
+  }
+}
+
+/**
+ * Check Python availability
+ */
+function checkPython() {
+  for (const cmd of ["python3 --version", "python --version"]) {
+    const result = runCommand(cmd, 5000);
+    if (result.success) {
+      const versionMatch = result.output.match(/Python\s+(\d+\.\d+\.\d+)/i) || 
+                           result.error.match(/Python\s+(\d+\.\d+\.\d+)/i);
+      return { available: true, version: versionMatch ? versionMatch[1] : "unknown", cmd: cmd.split(" ")[0] };
+    }
+  }
+  return { available: false, version: null, cmd: null };
+}
+
+/**
+ * Check if pip is available
+ */
+function checkPip(pythonCmd) {
+  const cmds = [
+    `${pythonCmd} -m pip --version`,
+    "pip3 --version",
+    "pip --version"
+  ];
+  for (const cmd of cmds) {
+    const result = runCommand(cmd, 5000);
+    if (result.success) return cmd.includes("-m pip") ? `${pythonCmd} -m pip` : cmd.split(" ")[0];
+  }
+  return null;
+}
+
+/**
+ * Check if a Python package is installed
+ */
+function checkPythonPackage(pythonCmd, packageName) {
+  const result = runCommand(`${pythonCmd} -c "import ${packageName}"`, 5000);
+  return result.success;
+}
+
+/**
+ * Install a Python package
+ */
+function installPythonPackage(pipCmd, packageName) {
+  const cmds = [
+    `${pipCmd} install -q ${packageName}`,
+    `${pipCmd} install --user -q ${packageName}`
+  ];
+  for (const cmd of cmds) {
+    const result = runCommand(cmd, 120000);
+    if (result.success) return { success: true, error: "" };
+  }
+  return { success: false, error: `Failed to install ${packageName}` };
+}
+
+/**
+ * Check if Playwright browsers are installed
+ */
+function checkPlaywright(pythonCmd) {
+  const hasPackage = checkPythonPackage(pythonCmd, "playwright");
+  const homeDir = process.env.HOME || process.env.USERPROFILE || "/root";
+  const pwCachePath = join(homeDir, ".cache", "ms-playwright");
+  const browsersInstalled = existsSync(pwCachePath);
+  return { installed: hasPackage, browsersInstalled };
+}
+
+/**
+ * Install Playwright
+ */
+function installPlaywright(pythonCmd) {
+  console.log("  Installing Playwright Python package...");
+  const pipCmd = checkPip(pythonCmd);
+  if (!pipCmd) return { success: false, error: "pip not found" };
+  
+  const pkgResult = installPythonPackage(pipCmd, "playwright");
+  if (!pkgResult.success) return pkgResult;
+  
+  console.log("  Installing Playwright browsers (chromium)...");
+  const browserResult = runCommand(`${pythonCmd} -m playwright install chromium`, 300000);
+  if (browserResult.success) return { success: true, error: "" };
+  
+  return { success: false, error: browserResult.error };
+}
+
+/**
+ * Environment detection and auto-installation
+ */
+function checkAndFixEnvironment() {
+  console.log("\n[env-check] Starting environment detection...");
+  
+  const pythonCheck = checkPython();
+  if (!pythonCheck.available) {
+    console.log("  ⚠ Python 3 not found. Python tools will not work.");
+    console.log("  → Install Python 3.8+ from https://python.org");
+    return;
+  }
+  
+  console.log(`  ✓ Python ${pythonCheck.version} detected`);
+  const pythonCmd = pythonCheck.cmd;
+  
+  const pipCmd = checkPip(pythonCmd);
+  if (!pipCmd) {
+    console.log("  ⚠ pip not found. Cannot auto-install Python packages.");
+    return;
+  }
+  console.log(`  ✓ pip detected`);
+  
+  // Required packages
+  const requiredPackages = ["requests", "beautifulsoup4", "urllib3"];
+  for (const pkg of requiredPackages) {
+    if (!checkPythonPackage(pythonCmd, pkg)) {
+      console.log(`  Installing ${pkg}...`);
+      const result = installPythonPackage(pipCmd, pkg);
+      if (result.success) {
+        console.log(`  ✓ ${pkg} installed`);
+      } else {
+        console.log(`  ✗ Failed to install ${pkg}`);
+      }
+    } else {
+      console.log(`  ✓ ${pkg} already installed`);
+    }
+  }
+  
+  // Check Playwright
+  const pwCheck = checkPlaywright(pythonCmd);
+  if (!pwCheck.installed || !pwCheck.browsersInstalled) {
+    console.log("  Playwright not fully installed, installing...");
+    const result = installPlaywright(pythonCmd);
+    if (result.success) {
+      console.log("  ✓ Playwright + browsers installed");
+    } else {
+      console.log(`  ⚠ Playwright installation failed: ${result.error}`);
+      console.log("  → browser_collect tool will not work until Playwright is installed");
+      console.log(`  → Manual fix: ${pythonCmd} -m pip install playwright && ${pythonCmd} -m playwright install chromium`);
+    }
+  } else {
+    console.log("  ✓ Playwright already installed");
+  }
+  
+  console.log("[env-check] Environment check complete\n");
+}
+
 function main() {
   const packageRoot = __dirname;
   const agentsSourceDir = join(packageRoot, "agents");
@@ -58,12 +224,13 @@ function main() {
   
   console.log("[api-security-testing] Installing...");
   console.log(`  Package root: ${packageRoot}`);
+  console.log(`  Platform: ${platform()}`);
 
   let totalInstalled = 0;
   let totalFailed = 0;
 
-  // 1. Install agents to BOTH locations (oh-my-opencode + OpenCode native)
-  console.log("\n[1/4] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
+  // 1. Install agents to BOTH locations
+  console.log("\n[1/5] Installing agents to ~/.claude/agents/ (oh-my-opencode)...");
   if (existsSync(agentsSourceDir)) {
     if (!existsSync(claudeAgentsDir)) {
       mkdirSync(claudeAgentsDir, { recursive: true });
@@ -82,7 +249,7 @@ function main() {
     }
   }
 
-  console.log("\n[2/4] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
+  console.log("\n[2/5] Installing agents to ~/.config/opencode/agents/ (OpenCode native)...");
   if (existsSync(agentsSourceDir)) {
     if (!existsSync(opencodeAgentsDir)) {
       mkdirSync(opencodeAgentsDir, { recursive: true });
@@ -102,7 +269,7 @@ function main() {
   }
 
   // 3. Install SKILL.md
-  console.log("\n[3/4] Installing SKILL.md...");
+  console.log("\n[3/5] Installing SKILL.md...");
   const skillSource = join(packageRoot, "SKILL.md");
   if (existsSync(skillSource)) {
     if (!existsSync(skillTargetDir)) {
@@ -119,7 +286,7 @@ function main() {
   }
 
   // 4. Install references
-  console.log("\n[4/4] Installing references...");
+  console.log("\n[4/5] Installing references...");
   const refsSourceDir = join(packageRoot, "references");
   const refsTargetDir = join(skillTargetDir, "references");
   if (existsSync(refsSourceDir)) {
@@ -133,6 +300,14 @@ function main() {
     }
   }
 
+  // 5. Environment detection and auto-install
+  console.log("\n[5/5] Detecting environment and installing dependencies...");
+  try {
+    checkAndFixEnvironment();
+  } catch (err) {
+    console.log(`  ⚠ Environment check failed: ${err.message}`);
+  }
+
   console.log(`\n========================================`);
   if (totalFailed === 0) {
     console.log(`✓ Installed ${totalInstalled} file(s)`);

package/src/index.ts

@@ -415,6 +415,171 @@ from testers.auth_tester import AuthTester
 tester = AuthTester()
 result = tester.test('${args.endpoint}')
 print(result)
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      // 新增: 端点自动发现工具
+      endpoint_discover: tool({
+        description: "自动发现 API 端点。从 JS 文件、HTML、Sitemap 中提取所有 API 路径",
+        args: {
+          target: tool.schema.string(),
+          depth: tool.schema.enum(["shallow", "deep"]).optional(),
+          include_methods: tool.schema.boolean().optional()
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const target = args.target as string;
+          const depth = (args.depth as string) || "shallow";
+          const includeMethods = (args.include_methods as boolean) !== false;
+          const cmd = `${deps}python3 -c "
+import sys, re, json, urllib.request, ssl
+sys.path.insert(0, '${corePath}')
+ssl._create_default_https_context = ssl._create_unverified_context
+target = '${target}'
+depth = '${depth}'
+endpoints = set()
+js_endpoints = set()
+html_endpoints = set()
+patterns = [r'[\\"\\'](/api/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/v[0-9]+/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/admin/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/auth/[^\\"\\'\\s?#]+)[\\"\\']', r'[\\"\\'](/graphql)[\\"\\']', r'[\\"\\'](/rest/[^\\"\\'\\s?#]+)[\\"\\']', r'axios\\.(get|post|put|delete|patch)\([\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', r'fetch\([\\"\\']([^\\"\\'\\s?#]+)[\\"\\']']
+def safe_fetch(url, timeout=10):
+    try:
+        req = urllib.request.Request(url, headers={'User-Agent': 'Mozilla/5.0'})
+        with urllib.request.urlopen(req, timeout=timeout) as r: return r.read().decode('utf-8', errors='ignore')
+    except: return None
+def extract(text):
+    found = []
+    for p in patterns:
+        for m in re.findall(p, text):
+            ep = m[-1] if isinstance(m, tuple) else m
+            ep = ep.strip().lstrip('/')
+            if ep and len(ep) > 2 and not ep.startswith(('http', 'data:', '#')):
+                if not any(ep.lower().endswith(x) for x in ['.js','.css','.png','.jpg','.gif','.svg','.ico']):
+                    found.append('/' + ep)
+    return found
+parsed = __import__('urllib.parse').urlparse(target)
+base = f'{parsed.scheme}://{parsed.netloc}'
+html = safe_fetch(target)
+if html:
+    html_endpoints.update(extract(html))
+    for js_url in re.findall(r'<script[^>]+src=[\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', html)[:20 if depth=='shallow' else 50]:
+        if js_url.startswith('/'): js_url = base + js_url
+        elif not js_url.startswith('http'): js_url = base + '/' + js_url
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content: js_endpoints.update(extract(js_content))
+for path in ['/api', '/api/v1', '/api/docs', '/swagger.json', '/graphql', '/admin', '/auth', '/health', '/version']:
+    content = safe_fetch(base + path, timeout=5)
+    if content and len(content) > 10:
+        endpoints.add(path)
+        if content.strip().startswith('{'):
+            try:
+                for ep in re.findall(r'[\\"\\'](/[a-zA-Z0-9_./-]+)[\\"\\']', content[:10000]): endpoints.add(ep)
+            except: pass
+if depth == 'deep':
+    for js_url in re.findall(r'<script[^>]+src=[\\"\\']([^\\"\\'\\s?#]+)[\\"\\']', html or '')[:50]:
+        if js_url.startswith('/'): js_url = base + js_url
+        elif not js_url.startswith('http'): js_url = base + '/' + js_url
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content:
+            for p in [r'[\\"\\'](/[a-zA-Z0-9_./{{}}:-]+)[\\"\\']', r'path:\\s*[\\"\\'](/[a-zA-Z0-9_./{{}}:-]+)[\\"\\']']:
+                for m in re.findall(p, js_content):
+                    ep = m[-1] if isinstance(m, tuple) else m
+                    if len(ep) > 2 and not ep.startswith(('http', 'data:', '#')): endpoints.add(ep)
+all_eps = sorted(set(endpoints) | set(html_endpoints) | set(js_endpoints))
+clean = []
+seen = set()
+for ep in all_eps:
+    ep = ep.split('?')[0].split('#')[0].rstrip('/')
+    if ep and ep not in seen and len(ep) > 1:
+        seen.add(ep)
+        clean.append(ep)
+result = {'target': target, 'total_endpoints': len(clean), 'endpoints': clean, 'sources': {'html': len(html_endpoints), 'javascript': len(js_endpoints), 'common_paths': len(endpoints)}}
+print(json.dumps(result, indent=2, ensure_ascii=False))
+"`;
+          return await execShell(ctx, cmd);
+        },
+      }),
+
+      // 新增: 报告生成工具
+      report_generate: tool({
+        description: "生成安全测试报告。支持 Markdown、HTML、JSON 格式，内置 OWASP API Top 10 模板",
+        args: {
+          format: tool.schema.enum(["markdown", "html", "json"]).optional(),
+          template: tool.schema.enum(["owasp-api", "custom"]).optional(),
+          target: tool.schema.string().optional(),
+          findings: tool.schema.string().optional(),
+          severity_filter: tool.schema.enum(["all", "critical", "high", "medium", "low", "info"]).optional()
+        },
+        async execute(args, ctx) {
+          const deps = checkDeps(ctx);
+          const corePath = getCorePath(ctx);
+          const format = (args.format as string) || "markdown";
+          const template = (args.template as string) || "owasp-api";
+          const target = (args.target as string) || "Unknown";
+          const findings = (args.findings as string) || "";
+          const severityFilter = (args.severity_filter as string) || "all";
+          const cmd = `${deps}python3 -c "
+import sys, json
+from datetime import datetime
+sys.path.insert(0, '${corePath}')
+format = '${format}'
+target = '${target.replace(/'/g, "\\'")}'
+findings = '''${findings.replace(/'/g, "\\'")}'''
+severity_filter = '${severityFilter}'
+parsed_findings = []
+if findings.strip():
+    try: parsed_findings = json.loads(findings)
+    except:
+        for line in findings.strip().split('\\n'):
+            if line.strip():
+                try: parsed_findings.append(json.loads(line))
+                except: pass
+if severity_filter != 'all' and parsed_findings:
+    parsed_findings = [f for f in parsed_findings if f.get('severity','').lower() == severity_filter.lower()]
+sev_counts = {'critical': 0, 'high': 0, 'medium': 0, 'low': 0, 'info': 0}
+for f in parsed_findings:
+    s = f.get('severity','info').lower()
+    if s in sev_counts: sev_counts[s] += 1
+total = len(parsed_findings)
+risk_score = sev_counts['critical']*10 + sev_counts['high']*7 + sev_counts['medium']*4 + sev_counts['low']*1
+risk_level = 'CRITICAL' if risk_score >= 50 else 'HIGH' if risk_score >= 30 else 'MEDIUM' if risk_score >= 15 else 'LOW' if risk_score > 0 else 'NONE'
+now = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
+if format == 'markdown':
+    report = f'# API 安全测试报告\\n\\n## 基本信息\\n\\n| 项目 | 值 |\\n|------|------|\\n| 目标 | {target} |\\n| 测试时间 | {now} |\\n| 风险等级 | **{risk_level}** |\\n| 风险分数 | {risk_score}/100 |\\n\\n## 漏洞统计\\n\\n| 严重程度 | 数量 |\\n|---------|------|\\n| Critical | {sev_counts[\\\"critical\\\"]} |\\n| High | {sev_counts[\\\"high\\\"]} |\\n| Medium | {sev_counts[\\\"medium\\\"]} |\\n| Low | {sev_counts[\\\"low\\\"]} |\\n| Info | {sev_counts[\\\"info\\\"]} |\\n| **总计** | **{total}** |\\n\\n## 漏洞详情\\n\\n'
+    if not parsed_findings: report += '未发现安全漏洞。\\n\\n'
+    else:
+        for i, f in enumerate(parsed_findings, 1):
+            title = f.get('title', f.get('vulnerability', f'Vulnerability #{i}'))
+            sev = f.get('severity', 'Unknown').upper()
+            ep = f.get('endpoint', f.get('url', 'N/A'))
+            desc = f.get('description', f.get('detail', 'No description'))
+            poc = f.get('poc', f.get('proof_of_concept', ''))
+            rec = f.get('recommendation', f.get('fix', 'Review and fix'))
+            report += f'### {i}. [{sev}] {title}\\n\\n| 属性 | 值 |\\n|------|------|\\n| 端点 | \\\`{ep}\\\` |\\n\\n**描述:**\\n\\n{desc}\\n\\n'
+            if poc: report += f'**PoC:**\\n\\n\\\`\\\`\\\`bash\\n{poc}\\n\\\`\\\`\\\`\\n\\n'
+            report += f'**修复建议:**\\n\\n{rec}\\n\\n---\\n\\n'
+    report += f'\\n## 测试覆盖范围\\n\\n| 测试类别 | 状态 |\\n|---------|------|\\n| SQL 注入 | ✅ 已测试 |\\n| XSS | ✅ 已测试 |\\n| IDOR | ✅ 已测试 |\\n| 认证绕过 | ✅ 已测试 |\\n| 敏感数据 | ✅ 已测试 |\\n| 业务逻辑 | ✅ 已测试 |\\n| 安全配置 | ✅ 已测试 |\\n| 暴力破解 | ✅ 已测试 |\\n| SSRF | ✅ 已测试 |\\n| GraphQL | ✅ 已测试 |\\n\\n---\\n\\n*报告生成时间: {now}*\\n*工具: opencode-api-security-testing v5.1.0*\\n'
+elif format == 'json':
+    report = json.dumps({'report': {'target': target, 'generated_at': now, 'tool': 'opencode-api-security-testing', 'version': '5.1.0'}, 'summary': {'total': total, 'risk_score': risk_score, 'risk_level': risk_level, 'severity_counts': sev_counts}, 'findings': parsed_findings}, indent=2, ensure_ascii=False)
+else:
+    report = f'<!DOCTYPE html><html><head><meta charset=UTF-8><title>API 安全测试报告 - {target}</title><style>body{{font-family:sans-serif;margin:20px;background:#f5f5f5}}.container{{max-width:1200px;margin:0 auto;background:white;border-radius:8px;padding:20px;box-shadow:0 2px 10px rgba(0,0,0,0.1)}}h1{{color:#333}}.stats{{display:flex;gap:15px;flex-wrap:wrap;margin:20px 0}}.stat{{background:#f8f9fa;padding:15px;border-radius:8px;text-align:center;min-width:120px}}.stat .num{{font-size:32px;font-weight:bold}}.stat.critical .num{{color:#dc3545}}.stat.high .num{{color:#fd7e14}}.stat.medium .num{{color:#ffc107}}.stat.low .num{{color:#28a745}}.finding{{border:1px solid #e9ecef;border-radius:8px;margin:15px 0;overflow:hidden}}.finding-header{{padding:15px;display:flex;align-items:center;gap:10px}}.finding-header.critical{{background:#fff5f5;border-left:4px solid #dc3545}}.finding-header.high{{background:#fff8f0;border-left:4px solid #fd7e14}}.finding-header.medium{{background:#fffdf0;border-left:4px solid #ffc107}}.finding-header.low{{background:#f0fff4;border-left:4px solid #28a745}}.badge{{padding:3px 8px;border-radius:4px;font-size:11px;font-weight:bold;color:white}}.badge.critical{{background:#dc3545}}.badge.high{{background:#fd7e14}}.badge.medium{{background:#ffc107;color:#333}}.badge.low{{background:#28a745}}.finding-body{{padding:15px}}pre{{background:#f8f9fa;padding:10px;border-radius:4px;overflow-x:auto}}</style></head><body><div class=container><h1>API 安全测试报告</h1><p>目标: {target} | 时间: {now} | 风险: <strong>{risk_level}</strong> ({risk_score}/100)</p><div class=stats><div class=stat critical><div class=num>{sev_counts[\\\"critical\\\"]}</div><div>Critical</div></div><div class=stat high><div class=num>{sev_counts[\\\"high\\\"]}</div><div>High</div></div><div class=stat medium><div class=num>{sev_counts[\\\"medium\\\"]}</div><div>Medium</div></div><div class=stat low><div class=num>{sev_counts[\\\"low\\\"]}</div><div>Low</div></div><div class=stat><div class=num>{total}</div><div>Total</div></div></div>'
+    if not parsed_findings: report += '<h2 style=color:#28a745>未发现安全漏洞</h2>'
+    else:
+        for i, f in enumerate(parsed_findings, 1):
+            title = f.get('title', f.get('vulnerability', f'#{i}'))
+            sev = f.get('severity','unknown').lower()
+            ep = f.get('endpoint', f.get('url', 'N/A'))
+            desc = f.get('description', f.get('detail', ''))
+            poc = f.get('poc', '')
+            rec = f.get('recommendation', f.get('fix', ''))
+            report += f'<div class=finding><div class=finding-header {sev}><span class=badge {sev}>{sev.upper()}</span><strong>{i}. {title}</strong></div><div class=finding-body><p><strong>端点:</strong> <code>{ep}</code></p><p>{desc}</p>'
+            if poc: report += f'<h4>PoC</h4><pre>{poc}</pre>'
+            if rec: report += f'<h4>修复建议</h4><p>{rec}</p>'
+            report += '</div></div>'
+    report += f'<p style=color:#666;font-size:12px;text-align:center;margin-top:20px>opencode-api-security-testing v5.1.0 | {now}</p></div></body></html>'
+print(report)
 "`;
           return await execShell(ctx, cmd);
         },