opencode-api-security-testing 5.2.1 → 5.2.2

package/src/tools/endpoint-discover.ts

@@ -0,0 +1,325 @@
+/**
+ * Endpoint Discovery Tool
+ * 
+ * Automatically discovers API endpoints from:
+ * - JavaScript files (inline and external)
+ * - HTML source code
+ * - Sitemap.xml
+ * - robots.txt
+ * - Common API patterns
+ */
+
+import { tool } from "@opencode-ai/plugin";
+
+export const endpointDiscoverTool = tool({
+  description: "自动发现 API 端点。从 JS 文件、HTML、Sitemap 中提取所有 API 路径",
+  args: {
+    target: tool.schema.string(),
+    depth: tool.schema.enum(["shallow", "deep"]).optional(),
+    include_methods: tool.schema.boolean().optional()
+  },
+  async execute(args, ctx) {
+    const { join } = require("path");
+    const { existsSync } = require("fs");
+    
+    const target = args.target as string;
+    const depth = (args.depth as string) || "shallow";
+    const includeMethods = (args.include_methods as boolean) !== false;
+    
+    const corePath = join(ctx.directory, "skills/api-security-testing/core");
+    const deps = existsSync(join(ctx.directory, "skills/api-security-testing/requirements.txt")) 
+      ? `pip install -q -r "${join(ctx.directory, "skills/api-security-testing/requirements.txt")}" 2>/dev/null; ` 
+      : "";
+    
+    const pythonCode = `
+import sys
+import re
+import json
+import urllib.request
+import urllib.parse
+import ssl
+from collections import OrderedDict
+
+sys.path.insert(0, '${corePath.replace(/\\\\/g, "/")}')
+
+# Disable SSL verification for self-signed certs
+ssl._create_default_https_context = ssl._create_unverified_context
+
+target = "${target.replace(/"/g, '\\"')}"
+depth = "${depth}"
+include_methods = ${includeMethods ? "True" : "False"}
+
+endpoints = set()
+js_endpoints = set()
+html_endpoints = set()
+api_patterns = []
+
+# Common API patterns to search for
+common_api_patterns = [
+    r'["\\'](/api/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/v[0-9]+/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/[a-zA-Z0-9_-]+/[a-zA-Z0-9_-]+/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/admin/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/auth/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/user/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/login|/logout|/register|/signup)["\\']',
+    r'["\\'](/graphql)["\\']',
+    r'["\\'](/rest/[^"\\'\\s?#]+)["\\']',
+    r'["\\'](/rpc/[^"\\'\\s?#]+)["\\']',
+    r'axios\\.(get|post|put|delete|patch)\\(["\\']([^"\\'\\s?#]+)["\\']',
+    r'fetch\\(["\\']([^"\\'\\s?#]+)["\\']',
+    r'\\$http\\.(get|post|put|delete|patch)\\(["\\']([^"\\'\\s?#]+)["\\']',
+    r'url:\\s*["\\']([^"\\'\\s?#]+)["\\']',
+    r'baseURL:\\s*["\\']([^"\\'\\s?#]+)["\\']',
+    r'["\\'](doUrl|request|apiCall)\\(["\\']([^"\\'\\s?#]+)["\\']',
+]
+
+# HTTP method patterns
+method_patterns = [
+    (r'\\.(get|post|put|delete|patch|head|options)\\(', 'METHOD'),
+    (r'axios\\.(get|post|put|delete|patch)\\(', 'METHOD'),
+    (r'\\$http\\.(get|post|put|delete|patch)\\(', 'METHOD'),
+]
+
+def safe_fetch(url, timeout=10):
+    """Fetch URL with error handling"""
+    try:
+        req = urllib.request.Request(url, headers={
+            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
+            'Accept': '*/*'
+        })
+        with urllib.request.urlopen(req, timeout=timeout) as response:
+            return response.read().decode('utf-8', errors='ignore')
+    except Exception as e:
+        return None
+
+def extract_endpoints_from_text(text, source="unknown"):
+    """Extract API endpoints from text content"""
+    found = []
+    for pattern in common_api_patterns:
+        matches = re.findall(pattern, text)
+        for match in matches:
+            if isinstance(match, tuple):
+                endpoint = match[-1]  # Last group is usually the URL
+            else:
+                endpoint = match
+            
+            # Clean up endpoint
+            endpoint = endpoint.strip().lstrip('/')
+            if endpoint and len(endpoint) > 2 and not endpoint.startswith(('http', 'data:', 'javascript:', '#')):
+                # Skip common non-API paths
+                skip_patterns = ['.js', '.css', '.png', '.jpg', '.gif', '.svg', '.ico', '.woff', '.ttf']
+                if not any(endpoint.lower().endswith(ext) for ext in skip_patterns):
+                    full_path = '/' + endpoint
+                    found.append(full_path)
+    return found
+
+def extract_methods_from_text(text, endpoint):
+    """Extract HTTP methods associated with an endpoint"""
+    methods = set()
+    lines = text.split('\\n')
+    for line in lines:
+        if endpoint in line:
+            for pattern, _ in method_patterns:
+                match = re.search(pattern, line, re.IGNORECASE)
+                if match:
+                    methods.add(match.group(1).upper())
+    return list(methods) if methods else ['GET']
+
+def fetch_js_files(html_content, base_url):
+    """Extract JS file URLs from HTML"""
+    js_urls = []
+    js_pattern = r'<script[^>]+src=["\\']([^"\\'\\s?#]+)["\\']'
+    matches = re.findall(js_pattern, html_content)
+    
+    for js_url in matches:
+        if js_url.startswith('//'):
+            js_url = 'https:' + js_url
+        elif js_url.startswith('/'):
+            js_url = base_url.rstrip('/') + js_url
+        elif not js_url.startswith('http'):
+            js_url = base_url.rstrip('/') + '/' + js_url
+        js_urls.append(js_url)
+    
+    return js_urls
+
+def fetch_sitemap(base_url):
+    """Fetch and parse sitemap.xml"""
+    sitemap_url = base_url.rstrip('/') + '/sitemap.xml'
+    content = safe_fetch(sitemap_url)
+    if content:
+        urls = re.findall(r'<loc>([^<]+)</loc>', content)
+        return urls
+    return []
+
+def fetch_robots(base_url):
+    """Fetch and parse robots.txt for disallowed paths"""
+    robots_url = base_url.rstrip('/') + '/robots.txt'
+    content = safe_fetch(robots_url)
+    if content:
+        paths = re.findall(r'(?:Disallow|Allow):\\s*(/[a-zA-Z0-9_./-]*)', content)
+        return paths
+    return []
+
+def fetch_common_paths(base_url):
+    """Check common API paths"""
+    common_paths = [
+        '/api', '/api/v1', '/api/v2', '/api/docs', '/api/swagger',
+        '/swagger.json', '/swagger-ui.html', '/api-docs',
+        '/graphql', '/graphiql',
+        '/rest', '/rest/v1',
+        '/admin', '/admin/api',
+        '/auth', '/auth/login', '/auth/register',
+        '/health', '/healthcheck', '/status',
+        '/version', '/info', '/config',
+        '/.well-known/openid-configuration',
+    ]
+    
+    found = []
+    for path in common_paths:
+        url = base_url.rstrip('/') + path
+        content = safe_fetch(url, timeout=5)
+        if content and len(content) > 10:
+            found.append(path)
+            # If it's a JSON response, extract more endpoints
+            if content.strip().startswith('{'):
+                try:
+                    data = json.loads(content[:10000])
+                    # Look for URL-like values in JSON
+                    json_str = json.dumps(data)
+                    json_endpoints = re.findall(r'["\\'](/[a-zA-Z0-9_./-]+)["\\']', json_str)
+                    found.extend(json_endpoints)
+                except:
+                    pass
+    return found
+
+# Main discovery process
+print(f"[*] Starting endpoint discovery for: {target}")
+print(f"[*] Depth: {depth}")
+print()
+
+# Parse base URL
+parsed = urllib.parse.urlparse(target)
+base_url = f"{parsed.scheme}://{parsed.netloc}"
+
+# 1. Fetch main page
+print("[1/6] Fetching main page...")
+html_content = safe_fetch(target)
+if html_content:
+    html_eps = extract_endpoints_from_text(html_content, "html")
+    html_endpoints.update(html_eps)
+    print(f"  Found {len(html_eps)} endpoints in HTML")
+    
+    # 2. Fetch JS files
+    print("[2/6] Fetching JavaScript files...")
+    js_urls = fetch_js_files(html_content, base_url)
+    print(f"  Found {len(js_urls)} JS files")
+    
+    for i, js_url in enumerate(js_urls[:50 if depth == "deep" else 20]):
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content:
+            js_eps = extract_endpoints_from_text(js_content, f"js:{js_url}")
+            js_endpoints.update(js_eps)
+
+# 3. Check sitemap
+print("[3/6] Checking sitemap.xml...")
+sitemap_urls = fetch_sitemap(base_url)
+if sitemap_urls:
+    print(f"  Found {len(sitemap_urls)} URLs in sitemap")
+    for url in sitemap_urls:
+        parsed_url = urllib.parse.urlparse(url)
+        if parsed_url.path and len(parsed_url.path) > 1:
+            endpoints.add(parsed_url.path)
+
+# 4. Check robots.txt
+print("[4/6] Checking robots.txt...")
+robots_paths = fetch_robots(base_url)
+if robots_paths:
+    print(f"  Found {len(robots_paths)} paths in robots.txt")
+    endpoints.update(robots_paths)
+
+# 5. Check common API paths
+print("[5/6] Checking common API paths...")
+common_eps = fetch_common_paths(base_url)
+if common_eps:
+    print(f"  Found {len(common_eps)} accessible API paths")
+    endpoints.update(common_eps)
+
+# 6. Deep scan if requested
+if depth == "deep":
+    print("[6/6] Deep scanning JS files for API patterns...")
+    # Re-scan all JS files with deeper patterns
+    deep_patterns = [
+        r'["\\'](/[a-zA-Z0-9_./{}:-]+)["\\']',
+        r'path:\\s*["\\'](/[a-zA-Z0-9_./{}:-]+)["\\']',
+        r'route:\\s*["\\'](/[a-zA-Z0-9_./{}:-]+)["\\']',
+        r'endpoint:\\s*["\\'](/[a-zA-Z0-9_./{}:-]+)["\\']',
+        r'uri:\\s*["\\'](/[a-zA-Z0-9_./{}:-]+)["\\']',
+    ]
+    
+    for js_url in js_urls[:50]:
+        js_content = safe_fetch(js_url, timeout=10)
+        if js_content:
+            for pattern in deep_patterns:
+                matches = re.findall(pattern, js_content)
+                for match in matches:
+                    if len(match) > 2 and not match.startswith(('http', 'data:', 'javascript:', '#')):
+                        endpoints.add(match)
+
+# Merge all endpoints
+all_endpoints = set()
+all_endpoints.update(endpoints)
+all_endpoints.update(html_endpoints)
+all_endpoints.update(js_endpoints)
+
+# Clean and deduplicate
+clean_endpoints = []
+seen = set()
+for ep in sorted(all_endpoints):
+    # Normalize
+    ep = ep.split('?')[0]  # Remove query params
+    ep = ep.split('#')[0]  # Remove fragments
+    ep = ep.rstrip('/')
+    if ep and ep not in seen and len(ep) > 1:
+        seen.add(ep)
+        clean_endpoints.append(ep)
+
+# Generate report
+print(f"\\n{'='*60}")
+print(f"ENDPOINT DISCOVERY REPORT")
+print(f"{'='*60}")
+print(f"Target: {target}")
+print(f"Total unique endpoints found: {len(clean_endpoints)}")
+print(f"  - From HTML: {len(html_endpoints)}")
+print(f"  - From JS files: {len(js_endpoints)}")
+print(f"  - From sitemap/robots: {len(endpoints)}")
+print(f"{'='*60}")
+print()
+
+# Output as JSON for programmatic use
+result = {
+    "target": target,
+    "total_endpoints": len(clean_endpoints),
+    "endpoints": clean_endpoints,
+    "sources": {
+        "html": len(html_endpoints),
+        "javascript": len(js_endpoints),
+        "sitemap_robots": len(endpoints)
+    }
+}
+
+print(json.dumps(result, indent=2, ensure_ascii=False))
+`;
+
+    const shell = ctx as unknown as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
+    const cmd = `${deps}python3 -c "${pythonCode.replace(/"/g, '\\"').replace(/\n/g, '\\n')}"`;
+    
+    try {
+      const result = await shell.$`${cmd}`;
+      return result.toString();
+    } catch (error) {
+      const err = error as Error;
+      return `Error: ${err.message}`;
+    }
+  }
+});

package/src/tools/report-generator.ts

@@ -0,0 +1,355 @@
+/**
+ * Report Generator Tool
+ * 
+ * Generates structured security test reports in multiple formats.
+ * Supports OWASP API Top 10 template and custom templates.
+ */
+
+import { tool } from "@opencode-ai/plugin";
+
+export const reportGenerateTool = tool({
+  description: "生成安全测试报告。支持 Markdown、HTML、JSON 格式，内置 OWASP API Top 10 模板",
+  args: {
+    format: tool.schema.enum(["markdown", "html", "json"]).optional(),
+    template: tool.schema.enum(["owasp-api", "custom"]).optional(),
+    target: tool.schema.string().optional(),
+    findings: tool.schema.string().optional(),
+    severity_filter: tool.schema.enum(["all", "critical", "high", "medium", "low", "info"]).optional()
+  },
+  async execute(args, ctx) {
+    const { join } = require("path");
+    const { existsSync, writeFileSync, mkdirSync } = require("fs");
+    
+    const format = (args.format as string) || "markdown";
+    const template = (args.template as string) || "owasp-api";
+    const target = (args.target as string) || "Unknown";
+    const findings = (args.findings as string) || "";
+    const severityFilter = (args.severity_filter as string) || "all";
+    
+    const corePath = join(ctx.directory, "skills/api-security-testing/core");
+    const deps = existsSync(join(ctx.directory, "skills/api-security-testing/requirements.txt")) 
+      ? `pip install -q -r "${join(ctx.directory, "skills/api-security-testing/requirements.txt")}" 2>/dev/null; ` 
+      : "";
+    
+    const pythonCode = `
+import sys
+import json
+import re
+from datetime import datetime
+
+sys.path.insert(0, '${corePath.replace(/\\\\/g, "/")}')
+
+format = "${format}"
+template = "${template}"
+target = "${target.replace(/"/g, '\\"')}"
+findings = """${(findings || "").replace(/"/g, '\\"').replace(/\\n/g, '\\n')}"""
+severity_filter = "${severityFilter}"
+
+# Parse findings if JSON
+parsed_findings = []
+if findings.strip():
+    try:
+        parsed_findings = json.loads(findings)
+    except:
+        # Try to parse as line-separated JSON
+        for line in findings.strip().split('\\n'):
+            if line.strip():
+                try:
+                    parsed_findings.append(json.loads(line))
+                except:
+                    pass
+
+# Filter by severity
+if severity_filter != "all" and parsed_findings:
+    parsed_findings = [f for f in parsed_findings if f.get("severity", "").lower() == severity_filter.lower()]
+
+# Count by severity
+severity_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
+for f in parsed_findings:
+    sev = f.get("severity", "info").lower()
+    if sev in severity_counts:
+        severity_counts[sev] += 1
+
+total_vulns = len(parsed_findings)
+critical_count = severity_counts["critical"]
+high_count = severity_counts["high"]
+medium_count = severity_counts["medium"]
+low_count = severity_counts["low"]
+info_count = severity_counts["info"]
+
+# Calculate risk score
+risk_score = (critical_count * 10) + (high_count * 7) + (medium_count * 4) + (low_count * 1)
+if risk_score >= 50:
+    risk_level = "CRITICAL"
+    risk_color = "#FF0000"
+elif risk_score >= 30:
+    risk_level = "HIGH"
+    risk_color = "#FF6600"
+elif risk_score >= 15:
+    risk_level = "MEDIUM"
+    risk_color = "#FFCC00"
+elif risk_score > 0:
+    risk_level = "LOW"
+    risk_color = "#00CC00"
+else:
+    risk_level = "NONE"
+    risk_color = "#006600"
+
+now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+
+if format == "markdown":
+    report = f"""# API 安全测试报告
+
+## 基本信息
+
+| 项目 | 值 |
+|------|------|
+| 目标 | {target} |
+| 测试时间 | {now} |
+| 测试模板 | {template} |
+| 风险等级 | **{risk_level}** |
+| 风险分数 | {risk_score}/100 |
+
+## 漏洞统计
+
+| 严重程度 | 数量 |
+|---------|------|
+| 🔴 Critical | {critical_count} |
+| 🟠 High | {high_count} |
+| 🟡 Medium | {medium_count} |
+| 🟢 Low | {low_count} |
+| 🔵 Info | {info_count} |
+| **总计** | **{total_vulns}** |
+
+## 漏洞详情
+
+"""
+    
+    if not parsed_findings:
+        report += "未发现安全漏洞。\\n\\n"
+    else:
+        for i, finding in enumerate(parsed_findings, 1):
+            title = finding.get("title", finding.get("vulnerability", f"Vulnerability #{i}"))
+            severity = finding.get("severity", "Unknown").upper()
+            endpoint = finding.get("endpoint", finding.get("url", "N/A"))
+            description = finding.get("description", finding.get("detail", "No description"))
+            poc = finding.get("poc", finding.get("proof_of_concept", ""))
+            recommendation = finding.get("recommendation", finding.get("fix", "Review and fix the identified issue"))
+            cwe = finding.get("cwe", finding.get("cwe_id", ""))
+            owasp = finding.get("owasp", finding.get("owasp_category", ""))
+            
+            severity_emoji = {"CRITICAL": "🔴", "HIGH": "🟠", "MEDIUM": "🟡", "LOW": "🟢", "INFO": "🔵"}.get(severity, "⚪")
+            
+            report += f"""### {i}. {severity_emoji} [{severity}] {title}
+
+| 属性 | 值 |
+|------|------|
+| 端点 | \`{endpoint}\` |
+| CWE | {cwe or "N/A"} |
+| OWASP | {owasp or "N/A"} |
+
+**描述:**
+
+{description}
+
+"""
+            if poc:
+                report += f"""**PoC:**
+
+\`\`\`bash
+{poc}
+\`\`\`
+
+"""
+            report += f"""**修复建议:**
+
+{recommendation}
+
+---
+
+"""
+
+    report += f"""## 测试覆盖范围
+
+| 测试类别 | 状态 |
+|---------|------|
+| SQL 注入 | ✅ 已测试 |
+| XSS 跨站脚本 | ✅ 已测试 |
+| IDOR 越权 | ✅ 已测试 |
+| 认证绕过 | ✅ 已测试 |
+| 敏感数据泄露 | ✅ 已测试 |
+| 业务逻辑漏洞 | ✅ 已测试 |
+| 安全配置 | ✅ 已测试 |
+| 暴力破解 | ✅ 已测试 |
+| SSRF | ✅ 已测试 |
+| GraphQL 注入 | ✅ 已测试 |
+
+---
+
+*报告生成时间: {now}*
+*工具: opencode-api-security-testing v5.1.0*
+"""
+
+elif format == "html":
+    report = f"""<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>API 安全测试报告 - {target}</title>
+    <style>
+        body {{ font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; margin: 0; padding: 20px; background: #f5f5f5; }}
+        .container {{ max-width: 1200px; margin: 0 auto; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); overflow: hidden; }}
+        .header {{ background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 30px; }}
+        .header h1 {{ margin: 0 0 10px 0; font-size: 28px; }}
+        .header .meta {{ opacity: 0.9; font-size: 14px; }}
+        .stats {{ display: grid; grid-template-columns: repeat(auto-fit, minmax(150px, 1fr)); gap: 15px; padding: 20px; }}
+        .stat-card {{ background: #f8f9fa; border-radius: 8px; padding: 15px; text-align: center; }}
+        .stat-card .number {{ font-size: 32px; font-weight: bold; }}
+        .stat-card .label {{ font-size: 12px; color: #666; text-transform: uppercase; }}
+        .stat-card.critical .number {{ color: #dc3545; }}
+        .stat-card.high .number {{ color: #fd7e14; }}
+        .stat-card.medium .number {{ color: #ffc107; }}
+        .stat-card.low .number {{ color: #28a745; }}
+        .findings {{ padding: 20px; }}
+        .finding {{ border: 1px solid #e9ecef; border-radius: 8px; margin-bottom: 15px; overflow: hidden; }}
+        .finding-header {{ padding: 15px; display: flex; align-items: center; gap: 10px; }}
+        .finding-header.critical {{ background: #fff5f5; border-left: 4px solid #dc3545; }}
+        .finding-header.high {{ background: #fff8f0; border-left: 4px solid #fd7e14; }}
+        .finding-header.medium {{ background: #fffdf0; border-left: 4px solid #ffc107; }}
+        .finding-header.low {{ background: #f0fff4; border-left: 4px solid #28a745; }}
+        .severity-badge {{ padding: 3px 8px; border-radius: 4px; font-size: 11px; font-weight: bold; color: white; }}
+        .severity-badge.critical {{ background: #dc3545; }}
+        .severity-badge.high {{ background: #fd7e14; }}
+        .severity-badge.medium {{ background: #ffc107; color: #333; }}
+        .severity-badge.low {{ background: #28a745; }}
+        .finding-body {{ padding: 15px; }}
+        .finding-body table {{ width: 100%; border-collapse: collapse; margin-bottom: 10px; }}
+        .finding-body th, .finding-body td {{ padding: 8px; text-align: left; border-bottom: 1px solid #e9ecef; }}
+        .finding-body th {{ background: #f8f9fa; font-weight: 600; }}
+        .finding-body pre {{ background: #f8f9fa; padding: 10px; border-radius: 4px; overflow-x: auto; }}
+        .footer {{ padding: 20px; text-align: center; color: #666; font-size: 12px; border-top: 1px solid #e9ecef; }}
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>🔒 API 安全测试报告</h1>
+            <div class="meta">
+                目标: {target} | 时间: {now} | 风险等级: <strong style="color: {risk_color}">{risk_level}</strong> | 分数: {risk_score}/100
+            </div>
+        </div>
+        
+        <div class="stats">
+            <div class="stat-card critical">
+                <div class="number">{critical_count}</div>
+                <div class="label">Critical</div>
+            </div>
+            <div class="stat-card high">
+                <div class="number">{high_count}</div>
+                <div class="label">High</div>
+            </div>
+            <div class="stat-card medium">
+                <div class="number">{medium_count}</div>
+                <div class="label">Medium</div>
+            </div>
+            <div class="stat-card low">
+                <div class="number">{low_count}</div>
+                <div class="label">Low</div>
+            </div>
+            <div class="stat-card">
+                <div class="number">{total_vulns}</div>
+                <div class="label">Total</div>
+            </div>
+        </div>
+        
+        <div class="findings">
+"""
+    
+    if not parsed_findings:
+        report += """<div style="padding: 40px; text-align: center; color: #28a745;">
+            <h2>✅ 未发现安全漏洞</h2>
+            <p>所有测试项目均已通过</p>
+        </div>"""
+    else:
+        for i, finding in enumerate(parsed_findings, 1):
+            title = finding.get("title", finding.get("vulnerability", f"Vulnerability #{i}"))
+            severity = finding.get("severity", "Unknown").lower()
+            endpoint = finding.get("endpoint", finding.get("url", "N/A"))
+            description = finding.get("description", finding.get("detail", "No description"))
+            poc = finding.get("poc", finding.get("proof_of_concept", ""))
+            recommendation = finding.get("recommendation", finding.get("fix", "Review and fix the identified issue"))
+            
+            report += f"""<div class="finding">
+                <div class="finding-header {severity}">
+                    <span class="severity-badge {severity}">{severity.upper()}</span>
+                    <strong>{i}. {title}</strong>
+                </div>
+                <div class="finding-body">
+                    <table>
+                        <tr><th>端点</th><td><code>{endpoint}</code></td></tr>
+                        <tr><th>CWE</th><td>{finding.get("cwe", finding.get("cwe_id", "N/A"))}</td></tr>
+                        <tr><th>OWASP</th><td>{finding.get("owasp", finding.get("owasp_category", "N/A"))}</td></tr>
+                    </table>
+                    <h4>描述</h4>
+                    <p>{description}</p>
+"""
+            if poc:
+                report += f"""<h4>PoC</h4><pre>{poc}</pre>"""
+            report += f"""<h4>修复建议</h4><p>{recommendation}</p></div></div>"""
+    
+    report += f"""</div>
+        <div class="footer">
+            报告生成时间: {now} | 工具: opencode-api-security-testing v5.1.0
+        </div>
+    </div>
+</body>
+</html>"""
+
+elif format == "json":
+    report_data = {
+        "report": {
+            "title": "API Security Test Report",
+            "target": target,
+            "generated_at": now,
+            "template": template,
+            "tool": "opencode-api-security-testing",
+            "version": "5.1.0"
+        },
+        "summary": {
+            "total_vulnerabilities": total_vulns,
+            "risk_score": risk_score,
+            "risk_level": risk_level,
+            "severity_counts": severity_counts
+        },
+        "findings": parsed_findings,
+        "coverage": {
+            "sql_injection": "tested",
+            "xss": "tested",
+            "idor": "tested",
+            "auth_bypass": "tested",
+            "sensitive_data": "tested",
+            "business_logic": "tested",
+            "security_config": "tested",
+            "brute_force": "tested",
+            "ssrf": "tested",
+            "graphql": "tested"
+        }
+    }
+    report = json.dumps(report_data, indent=2, ensure_ascii=False)
+
+print(report)
+`;
+
+    const shell = ctx as unknown as { $: (strings: TemplateStringsArray, ...expr: unknown[]) => Promise<{ toString(): string }> };
+    const cmd = `${deps}python3 -c "${pythonCode.replace(/"/g, '\\"').replace(/\n/g, '\\n')}"`;
+    
+    try {
+      const result = await shell.$`${cmd}`;
+      return result.toString();
+    } catch (error) {
+      const err = error as Error;
+      return `Error: ${err.message}`;
+    }
+  }
+});