kekkai-cli 1.0.4__py3-none-any.whl → 1.1.0__py3-none-any.whl

kekkai/cli.py

@@ -7,10 +7,10 @@ import sys
 from collections.abc import Sequence
 from datetime import UTC, datetime
 from pathlib import Path
-from typing import cast
+from typing import Any, cast
 
 from . import dojo, manifest
-from .config import ConfigOverrides, DojoSettings, PolicySettings, load_config
+from .config import DEFAULT_SCANNERS, ConfigOverrides, DojoSettings, PolicySettings, load_config
 from .dojo_import import DojoConfig, import_results_to_dojo
 from .output import (
     VERSION,
@@ -179,8 +179,8 @@ def main(argv: Sequence[str] | None = None) -> int:
     threatflow_parser.add_argument(
         "--model-mode",
         type=str,
-        choices=["local", "openai", "anthropic", "mock"],
-        help="LLM backend: local (default), openai, anthropic, or mock for testing",
+        choices=["local", "ollama", "openai", "anthropic", "mock"],
+        help="LLM backend: local, ollama (recommended), openai, anthropic, or mock",
     )
     threatflow_parser.add_argument(
         "--model-path", type=str, help="Path to local model file (for local mode)"
@@ -217,6 +217,165 @@ def main(argv: Sequence[str] | None = None) -> int:
         help="Path for .kekkaiignore output (default: .kekkaiignore)",
     )
 
+    # Fix subcommand - AI-powered remediation
+    fix_parser = subparsers.add_parser("fix", help="generate AI-powered code fixes for findings")
+    fix_parser.add_argument(
+        "--input",
+        type=str,
+        help="Path to scan results JSON (Semgrep format)",
+    )
+    fix_parser.add_argument(
+        "--repo",
+        type=str,
+        help="Path to repository (default: current directory)",
+    )
+    fix_parser.add_argument(
+        "--output-dir",
+        type=str,
+        help="Output directory for diffs and audit log",
+    )
+    fix_parser.add_argument(
+        "--dry-run",
+        action="store_true",
+        default=True,
+        help="Preview fixes without applying (default: True)",
+    )
+    fix_parser.add_argument(
+        "--apply",
+        action="store_true",
+        help="Apply fixes to files (requires explicit flag)",
+    )
+    fix_parser.add_argument(
+        "--model-mode",
+        type=str,
+        choices=["local", "ollama", "openai", "anthropic", "mock"],
+        default="local",
+        help="LLM backend: local (default), openai, anthropic, or mock",
+    )
+    fix_parser.add_argument(
+        "--api-key",
+        type=str,
+        help="API key for remote LLM (prefer KEKKAI_FIX_API_KEY env var)",
+    )
+    fix_parser.add_argument(
+        "--model-name",
+        type=str,
+        help="Specific model name to use",
+    )
+    fix_parser.add_argument(
+        "--max-fixes",
+        type=int,
+        default=10,
+        help="Maximum fixes to generate per run (default: 10)",
+    )
+    fix_parser.add_argument(
+        "--timeout",
+        type=int,
+        default=120,
+        help="Timeout in seconds for LLM calls (default: 120)",
+    )
+    fix_parser.add_argument(
+        "--no-backup",
+        action="store_true",
+        help="Disable backup creation when applying fixes",
+    )
+
+    # Report subcommand - Compliance mapping and reporting
+    report_parser = subparsers.add_parser(
+        "report", help="generate compliance reports from scan findings"
+    )
+    report_parser.add_argument(
+        "--input",
+        type=str,
+        required=True,
+        help="Path to scan results JSON file",
+    )
+    report_parser.add_argument(
+        "--output",
+        type=str,
+        help="Output directory for reports (default: current directory)",
+    )
+    report_parser.add_argument(
+        "--format",
+        type=str,
+        default="html",
+        help="Report format: html, pdf, compliance, json, all (default: html)",
+    )
+    report_parser.add_argument(
+        "--frameworks",
+        type=str,
+        help="Comma-separated frameworks: PCI-DSS,SOC2,OWASP,HIPAA (default: all)",
+    )
+    report_parser.add_argument(
+        "--min-severity",
+        type=str,
+        default="info",
+        help="Minimum severity to include: critical,high,medium,low,info (default: info)",
+    )
+    report_parser.add_argument(
+        "--title",
+        type=str,
+        default="Security Scan Report",
+        help="Report title",
+    )
+    report_parser.add_argument(
+        "--organization",
+        type=str,
+        default="",
+        help="Organization name for report header",
+    )
+    report_parser.add_argument(
+        "--project",
+        type=str,
+        default="",
+        help="Project name for report header",
+    )
+    report_parser.add_argument(
+        "--no-executive-summary",
+        action="store_true",
+        help="Exclude executive summary section",
+    )
+    report_parser.add_argument(
+        "--no-timeline",
+        action="store_true",
+        help="Exclude remediation timeline section",
+    )
+
+    # Upload subcommand - upload scan results to DefectDojo
+    upload_parser = subparsers.add_parser("upload", help="upload scan results to DefectDojo")
+    upload_parser.add_argument(
+        "--run-id",
+        type=str,
+        help="Run ID to upload (default: latest run)",
+    )
+    upload_parser.add_argument(
+        "--input",
+        type=str,
+        help="Path to specific results file to upload",
+    )
+    upload_parser.add_argument(
+        "--dojo-url",
+        type=str,
+        help="DefectDojo base URL (default: http://localhost:8080)",
+    )
+    upload_parser.add_argument(
+        "--dojo-api-key",
+        type=str,
+        help="DefectDojo API key (or set KEKKAI_DOJO_API_KEY env var)",
+    )
+    upload_parser.add_argument(
+        "--product",
+        type=str,
+        default="Kekkai Scans",
+        help="DefectDojo product name",
+    )
+    upload_parser.add_argument(
+        "--engagement",
+        type=str,
+        default="Default Engagement",
+        help="DefectDojo engagement name",
+    )
+
     parsed = parser.parse_args(args)
     if parsed.command == "init":
         return _command_init(parsed.config, parsed.force)
@@ -249,6 +408,12 @@ def main(argv: Sequence[str] | None = None) -> int:
         return _command_threatflow(parsed)
     if parsed.command == "triage":
         return _command_triage(parsed)
+    if parsed.command == "fix":
+        return _command_fix(parsed)
+    if parsed.command == "report":
+        return _command_report(parsed)
+    if parsed.command == "upload":
+        return _command_upload(parsed)
 
     parser.print_help()
     return 1
@@ -489,7 +654,7 @@ def _resolve_scanners(override: str | None, config_scanners: list[str] | None) -
         return [s.strip() for s in override.split(",") if s.strip()]
     if config_scanners:
         return config_scanners
-    return []
+    return list(DEFAULT_SCANNERS)
 
 
 def _resolve_policy_config(
@@ -543,7 +708,7 @@ def _print_scan_summary_table(scan_results: list[ScanResult]) -> None:
         )
         for r in scan_results
     ]
-    console.print(print_scan_summary(rows))
+    print_scan_summary(rows)
 
 
 def _print_policy_summary(result: PolicyResult) -> None:
@@ -749,23 +914,44 @@ def _command_dojo(parsed: argparse.Namespace) -> int:
     project_name = _resolve_dojo_project_name(parsed)
 
     if parsed.dojo_command == "up":
-        port = _resolve_dojo_port(parsed)
-        tls_port = _resolve_dojo_tls_port(parsed, port)
+        requested_port = _resolve_dojo_port(parsed)
+        requested_tls_port = _resolve_dojo_tls_port(parsed, requested_port)
         try:
-            env = dojo.compose_up(
+            env, actual_port, actual_tls_port = dojo.compose_up(
                 compose_root=compose_root,
                 project_name=project_name,
-                port=port,
-                tls_port=tls_port,
+                port=requested_port,
+                tls_port=requested_tls_port,
                 wait=bool(parsed.wait),
                 open_browser=bool(parsed.open),
             )
         except RuntimeError as exc:
             print(str(exc))
             return 1
-        print(f"DefectDojo is starting at http://localhost:{port}/")
-        print(f"Admin user: {env.get('DD_ADMIN_USER', 'admin')}")
-        print("Admin password stored in .env")
+
+        # Warn if port was changed due to conflict
+        if actual_port != requested_port:
+            console.print(
+                f"[warning]Port {requested_port} was in use, using {actual_port} instead[/warning]"
+            )
+
+        console.print(
+            f"\n[bold cyan]DefectDojo is ready at[/bold cyan] http://localhost:{actual_port}/"
+        )
+        console.print("\n[bold]Login credentials:[/bold]")
+        console.print(f"  Username: {env.get('DD_ADMIN_USER', 'admin')}")
+        console.print(f"  Password: {env.get('DD_ADMIN_PASSWORD', '(see .env)')}")
+
+        # Show API key if generated (only when --wait was used)
+        api_key = env.get("DD_API_KEY")
+        if api_key:
+            console.print(f"\n[bold]API Key (for uploads):[/bold] {api_key}")
+        else:
+            console.print(
+                "\n[muted]Note: Run with --wait to auto-generate API key for uploads[/muted]"
+            )
+
+        console.print(f"\nCredentials saved to: {compose_root / '.env'}")
         return 0
 
     if parsed.dojo_command == "down":
@@ -938,6 +1124,499 @@ def _command_triage(parsed: argparse.Namespace) -> int:
     return run_triage(input_path=input_path, output_path=output_path)
 
 
+def _command_fix(parsed: argparse.Namespace) -> int:
+    """Run AI-powered code fix generation."""
+    from .fix import FixConfig, FixEngine
+
+    # Resolve input path
+    input_path_str = cast(str | None, getattr(parsed, "input", None))
+    if not input_path_str:
+        console.print("[danger]Error:[/danger] --input is required (path to scan results JSON)")
+        return 1
+
+    input_path = Path(input_path_str).expanduser().resolve()
+    if not input_path.exists():
+        console.print(f"[danger]Error:[/danger] Input file not found: {input_path}")
+        return 1
+
+    # Resolve repository path
+    repo_override = cast(str | None, getattr(parsed, "repo", None))
+    repo_path = Path(repo_override).expanduser().resolve() if repo_override else Path.cwd()
+
+    if not repo_path.exists() or not repo_path.is_dir():
+        console.print(f"[danger]Error:[/danger] Repository path not found: {repo_path}")
+        return 1
+
+    # Resolve output directory
+    output_dir_str = cast(str | None, getattr(parsed, "output_dir", None))
+    output_dir = Path(output_dir_str).expanduser().resolve() if output_dir_str else None
+
+    # Resolve model settings
+    model_mode = getattr(parsed, "model_mode", "local") or "local"
+    api_key = getattr(parsed, "api_key", None) or os.environ.get("KEKKAI_FIX_API_KEY")
+    model_name = getattr(parsed, "model_name", None)
+    max_fixes = getattr(parsed, "max_fixes", 10)
+    timeout = getattr(parsed, "timeout", 120)
+    no_backup = getattr(parsed, "no_backup", False)
+
+    # Determine dry_run: --apply overrides --dry-run
+    apply_fixes = getattr(parsed, "apply", False)
+    dry_run = not apply_fixes
+
+    # Display banner
+    console.print("\n[bold cyan]Kekkai Fix[/bold cyan] - AI-Powered Remediation")
+    console.print("=" * 50)
+    console.print(f"Repository: {repo_path}")
+    console.print(f"Input: {input_path}")
+    console.print(f"Model mode: {model_mode}")
+    console.print(f"Dry run: {dry_run}")
+
+    # Warn about remote mode
+    if model_mode in ("openai", "anthropic"):
+        console.print(
+            "\n[warning]*** WARNING: Using remote API. Code will be sent to external service. ***"
+            "[/warning]\n"
+        )
+        if not api_key:
+            console.print("[danger]Error:[/danger] API key required for remote mode.")
+            console.print("  Set --api-key or KEKKAI_FIX_API_KEY environment variable")
+            return 1
+
+    # Build config
+    config = FixConfig(
+        model_mode=model_mode,
+        api_key=api_key,
+        model_name=model_name,
+        max_fixes=max_fixes,
+        timeout_seconds=timeout,
+        dry_run=dry_run,
+        create_backups=not no_backup,
+    )
+
+    # Run fix engine
+    console.print("\nAnalyzing findings...")
+    engine = FixEngine(config)
+    result = engine.fix_from_scan_results(input_path, repo_path, output_dir)
+
+    if not result.success:
+        console.print(f"[danger]Error:[/danger] {result.error}")
+        return 1
+
+    # Print results
+    console.print("\n[success]Fix generation complete[/success]")
+    console.print(f"  Findings processed: {result.findings_processed}")
+    console.print(f"  Fixes generated: {result.fixes_generated}")
+
+    if not dry_run:
+        console.print(f"  Fixes applied: {result.fixes_applied}")
+
+    if result.warnings:
+        console.print("\n[warning]Warnings:[/warning]")
+        for w in result.warnings[:10]:
+            console.print(f"  - {sanitize_for_terminal(w)}")
+        if len(result.warnings) > 10:
+            console.print(f"  ... and {len(result.warnings) - 10} more")
+
+    # Show fix previews in dry run mode
+    if dry_run and result.suggestions:
+        console.print("\n[bold]Fix Previews:[/bold]")
+        for i, suggestion in enumerate(result.suggestions[:5], 1):
+            if suggestion.success:
+                console.print(
+                    f"\n--- Fix {i}: {suggestion.finding.file_path}:{suggestion.finding.line} ---"
+                )
+                console.print(f"Rule: {suggestion.finding.rule_id}")
+                console.print(suggestion.preview[:1000])
+                if len(suggestion.preview) > 1000:
+                    console.print("... (truncated)")
+        if len(result.suggestions) > 5:
+            console.print(f"\n... and {len(result.suggestions) - 5} more fixes")
+        console.print("\n[info]To apply fixes, run with --apply flag[/info]")
+
+    if result.audit_log_path:
+        console.print(f"\nAudit log: {result.audit_log_path}")
+
+    return 0
+
+
+def _command_report(parsed: argparse.Namespace) -> int:
+    """Generate compliance reports from scan findings."""
+    import json as _json
+
+    from .report import ReportConfig, ReportFormat, generate_report
+
+    # Resolve input path
+    input_path_str = cast(str, parsed.input)
+    input_path = Path(input_path_str).expanduser().resolve()
+
+    if not input_path.exists():
+        console.print(f"[danger]Error:[/danger] Input file not found: {input_path}")
+        return 1
+
+    # Resolve output directory
+    output_str = cast(str | None, getattr(parsed, "output", None))
+    output_dir = Path(output_str).expanduser().resolve() if output_str else Path.cwd()
+
+    # Parse format
+    format_str = getattr(parsed, "format", "html").lower()
+    formats: list[ReportFormat] = []
+    if format_str == "all":
+        formats = [ReportFormat.HTML, ReportFormat.PDF, ReportFormat.COMPLIANCE, ReportFormat.JSON]
+    else:
+        for fmt in format_str.split(","):
+            fmt = fmt.strip()
+            try:
+                formats.append(ReportFormat(fmt))
+            except ValueError:
+                console.print(f"[danger]Error:[/danger] Unknown format: {fmt}")
+                console.print("  Available: html, pdf, compliance, json, all")
+                return 1
+
+    # Parse frameworks
+    frameworks_str = cast(str | None, getattr(parsed, "frameworks", None))
+    if frameworks_str:
+        frameworks = [f.strip() for f in frameworks_str.split(",")]
+    else:
+        frameworks = ["PCI-DSS", "SOC2", "OWASP", "HIPAA"]
+
+    # Build config
+    config = ReportConfig(
+        formats=formats,
+        frameworks=frameworks,
+        min_severity=getattr(parsed, "min_severity", "info"),
+        include_executive_summary=not getattr(parsed, "no_executive_summary", False),
+        include_remediation_timeline=not getattr(parsed, "no_timeline", False),
+        title=getattr(parsed, "title", "Security Scan Report"),
+        organization=getattr(parsed, "organization", ""),
+        project_name=getattr(parsed, "project", ""),
+    )
+
+    # Display banner
+    console.print("\n[bold cyan]Kekkai Report[/bold cyan] - Compliance Mapping & Reporting")
+    console.print("=" * 55)
+    console.print(f"Input: {input_path}")
+    console.print(f"Output: {output_dir}")
+    console.print(f"Formats: {', '.join(f.value for f in formats)}")
+    console.print(f"Frameworks: {', '.join(frameworks)}")
+
+    # Load findings from input file
+    console.print("\nLoading scan results...")
+    try:
+        with input_path.open() as f:
+            data = _json.load(f)
+    except _json.JSONDecodeError as e:
+        console.print(f"[danger]Error:[/danger] Invalid JSON: {e}")
+        return 1
+
+    # Parse findings based on input format
+    findings = _parse_findings_from_json(data)
+
+    if not findings:
+        console.print("[warning]Warning:[/warning] No findings found in input file")
+
+    console.print(f"Found {len(findings)} findings")
+
+    # Generate reports
+    console.print("\nGenerating reports...")
+    result = generate_report(findings, output_dir, config)
+
+    if not result.success:
+        console.print("[danger]Report generation failed:[/danger]")
+        for err in result.errors:
+            console.print(f"  - {sanitize_error(err)}")
+        return 1
+
+    # Print results
+    console.print(f"\n[success]Reports generated in {result.generation_time_ms}ms[/success]")
+    console.print("\nOutput files:")
+    for path in result.output_files:
+        console.print(f"  - {path}")
+
+    if result.warnings:
+        console.print("\n[warning]Warnings:[/warning]")
+        for w in result.warnings[:5]:
+            console.print(f"  - {w}")
+
+    return 0
+
+
+def _command_upload(parsed: argparse.Namespace) -> int:
+    """Upload scan results to DefectDojo."""
+    import json as _json
+
+    # Resolve DefectDojo configuration
+    dojo_url = (
+        getattr(parsed, "dojo_url", None)
+        or os.environ.get("KEKKAI_DOJO_URL")
+        or "http://localhost:8080"
+    )
+    dojo_api_key = getattr(parsed, "dojo_api_key", None) or os.environ.get("KEKKAI_DOJO_API_KEY")
+
+    if not dojo_api_key:
+        # Try to read from local dojo .env file
+        dojo_env_path = app_base_dir() / "dojo" / ".env"
+        if dojo_env_path.exists():
+            env_data = dojo.load_env_file(dojo_env_path)
+            dojo_api_key = env_data.get("DD_API_KEY")
+
+    if not dojo_api_key:
+        console.print("[danger]Error:[/danger] DefectDojo API key required")
+        console.print("  Set --dojo-api-key or KEKKAI_DOJO_API_KEY environment variable")
+        console.print("  Or run 'kekkai dojo up' to start local DefectDojo first")
+        return 1
+
+    product_name = getattr(parsed, "product", "Kekkai Scans")
+    engagement_name = getattr(parsed, "engagement", "Default Engagement")
+
+    # Resolve input - either specific file or find latest run
+    input_path_str = cast(str | None, getattr(parsed, "input", None))
+    run_id_override = cast(str | None, getattr(parsed, "run_id", None))
+
+    if input_path_str:
+        # Use specific input file
+        input_path = Path(input_path_str).expanduser().resolve()
+        if not input_path.exists():
+            console.print(f"[danger]Error:[/danger] Input file not found: {input_path}")
+            return 1
+        run_dir = input_path.parent
+        run_id = run_dir.name
+    else:
+        # Find latest run
+        runs_dir = app_base_dir() / "runs"
+        if not runs_dir.exists():
+            console.print("[danger]Error:[/danger] No scan runs found")
+            console.print("  Run 'kekkai scan' first to generate results")
+            return 1
+
+        if run_id_override:
+            run_dir = runs_dir / run_id_override
+            if not run_dir.exists():
+                console.print(f"[danger]Error:[/danger] Run not found: {run_id_override}")
+                return 1
+            run_id = run_id_override
+        else:
+            # Find most recent run
+            run_dirs = sorted(
+                [d for d in runs_dir.iterdir() if d.is_dir()],
+                key=lambda d: d.stat().st_mtime,
+                reverse=True,
+            )
+            if not run_dirs:
+                console.print("[danger]Error:[/danger] No scan runs found")
+                return 1
+            run_dir = run_dirs[0]
+            run_id = run_dir.name
+
+    console.print("\n[bold cyan]Kekkai Upload[/bold cyan] - DefectDojo Import")
+    console.print("=" * 45)
+    console.print(f"DefectDojo URL: {dojo_url}")
+    console.print(f"Run ID: {run_id}")
+    console.print(f"Product: {product_name}")
+    console.print(f"Engagement: {engagement_name}")
+
+    # Find and load scan results
+    scan_files = list(run_dir.glob("*.json"))
+    scan_files = [f for f in scan_files if f.name not in ("run.json", "policy-result.json")]
+
+    if not scan_files:
+        console.print(f"[danger]Error:[/danger] No scan results found in {run_dir}")
+        return 1
+
+    console.print(f"\nFound {len(scan_files)} result file(s)")
+
+    # Build scan results for import
+    scan_results: list[ScanResult] = []
+    scanners_map: dict[str, Scanner] = {}
+
+    for scan_file in scan_files:
+        scanner_name = scan_file.stem  # e.g., "trivy", "semgrep", "gitleaks"
+        console.print(f"  Loading {scanner_name}...")
+
+        try:
+            with scan_file.open() as f:
+                data = _json.load(f)
+        except _json.JSONDecodeError as e:
+            console.print(f"    [warning]Skipped (invalid JSON): {e}[/warning]")
+            continue
+
+        # Parse findings based on format
+        findings = _parse_findings_from_json(data)
+
+        if findings:
+            scan_results.append(
+                ScanResult(
+                    scanner=scanner_name,
+                    success=True,
+                    findings=findings,
+                    raw_output_path=scan_file,
+                    duration_ms=0,
+                )
+            )
+            # Create scanner instance for import
+            scanner = _create_scanner(scanner_name)
+            if scanner:
+                scanners_map[scanner_name] = scanner
+
+            console.print(f"    {len(findings)} findings")
+
+    if not scan_results:
+        console.print("[danger]Error:[/danger] No valid scan results to upload")
+        return 1
+
+    # Import to DefectDojo
+    console.print("\nUploading to DefectDojo...")
+
+    dojo_cfg = DojoConfig(
+        base_url=dojo_url,
+        api_key=dojo_api_key,
+        product_name=product_name,
+        engagement_name=engagement_name,
+    )
+
+    # Get commit SHA from run manifest if available
+    commit_sha: str | None = None
+    manifest_path = run_dir / "run.json"
+    if manifest_path.exists():
+        try:
+            with manifest_path.open() as f:
+                manifest_data = _json.load(f)
+            commit_sha = manifest_data.get("commit_sha")
+        except (OSError, _json.JSONDecodeError):
+            pass
+
+    import_results = import_results_to_dojo(
+        config=dojo_cfg,
+        results=scan_results,
+        scanners=scanners_map,
+        run_id=run_id,
+        commit_sha=commit_sha,
+    )
+
+    success_count = 0
+    scanner_names_list = list(scanners_map.keys())
+    for idx, ir in enumerate(import_results):
+        scanner_label = (
+            scanner_names_list[idx] if idx < len(scanner_names_list) else f"scanner-{idx}"
+        )
+        if ir.success:
+            success_count += 1
+            console.print(
+                f"  [success]{scanner_label}:[/success] {ir.findings_created} created, "
+                f"{ir.findings_closed} closed"
+            )
+        else:
+            err = sanitize_error(ir.error or "Unknown error")
+            console.print(f"  [danger]{scanner_label} failed:[/danger] {err}")
+
+    if success_count > 0:
+        console.print(f"\n[success]Upload complete![/success] {success_count} scanner(s) imported")
+        console.print(f"View results at: {dojo_url}")
+        return 0
+    else:
+        console.print("\n[danger]Upload failed[/danger]")
+        return 1
+
+
+def _parse_findings_from_json(data: dict[str, Any] | list[Any]) -> list[Finding]:
+    """Parse findings from various JSON formats (Semgrep, Trivy, unified)."""
+    from .scanners.base import Severity
+
+    findings: list[Finding] = []
+
+    # Handle Semgrep format
+    if isinstance(data, dict) and "results" in data:
+        for item in data.get("results", []):
+            severity_str = item.get("extra", {}).get("severity", "INFO")
+            if severity_str == "ERROR":
+                severity = Severity.HIGH
+            elif severity_str == "WARNING":
+                severity = Severity.MEDIUM
+            else:
+                severity = Severity.from_string(severity_str)
+
+            findings.append(
+                Finding(
+                    scanner="semgrep",
+                    title=item.get("check_id", "Unknown"),
+                    severity=severity,
+                    description=item.get("extra", {}).get("message", ""),
+                    file_path=item.get("path"),
+                    line=item.get("start", {}).get("line"),
+                    rule_id=item.get("check_id"),
+                    cwe=_extract_cwe_from_metadata(item.get("extra", {}).get("metadata", {})),
+                )
+            )
+
+    # Handle Trivy format
+    elif isinstance(data, dict) and "Results" in data:
+        for result in data.get("Results", []):
+            for vuln in result.get("Vulnerabilities", []):
+                findings.append(
+                    Finding(
+                        scanner="trivy",
+                        title=vuln.get("Title", vuln.get("VulnerabilityID", "Unknown")),
+                        severity=Severity.from_string(vuln.get("Severity", "UNKNOWN")),
+                        description=vuln.get("Description", ""),
+                        cve=vuln.get("VulnerabilityID"),
+                        package_name=vuln.get("PkgName"),
+                        package_version=vuln.get("InstalledVersion"),
+                        fixed_version=vuln.get("FixedVersion"),
+                    )
+                )
+
+    # Handle unified Kekkai format (array of findings)
+    elif isinstance(data, list):
+        for item in data:
+            findings.append(
+                Finding(
+                    scanner=item.get("scanner", "unknown"),
+                    title=item.get("title", "Unknown"),
+                    severity=Severity.from_string(item.get("severity", "unknown")),
+                    description=item.get("description", ""),
+                    file_path=item.get("file_path"),
+                    line=item.get("line"),
+                    rule_id=item.get("rule_id"),
+                    cwe=item.get("cwe"),
+                    cve=item.get("cve"),
+                    package_name=item.get("package_name"),
+                    package_version=item.get("package_version"),
+                    fixed_version=item.get("fixed_version"),
+                )
+            )
+
+    # Handle Kekkai report JSON format (with findings array)
+    elif isinstance(data, dict) and "findings" in data:
+        for item in data.get("findings", []):
+            findings.append(
+                Finding(
+                    scanner=item.get("scanner", "unknown"),
+                    title=item.get("title", "Unknown"),
+                    severity=Severity.from_string(item.get("severity", "unknown")),
+                    description=item.get("description", ""),
+                    file_path=item.get("file_path"),
+                    line=item.get("line"),
+                    rule_id=item.get("rule_id"),
+                    cwe=item.get("cwe"),
+                    cve=item.get("cve"),
+                    package_name=item.get("package_name"),
+                    package_version=item.get("package_version"),
+                    fixed_version=item.get("fixed_version"),
+                )
+            )
+
+    return findings
+
+
+def _extract_cwe_from_metadata(metadata: dict[str, Any]) -> str | None:
+    """Extract CWE from Semgrep metadata."""
+    cwe_list = metadata.get("cwe", [])
+    if isinstance(cwe_list, list) and cwe_list:
+        return str(cwe_list[0])
+    if isinstance(cwe_list, str):
+        return cwe_list
+    return None
+
+
 def _resolve_dojo_compose_dir(parsed: argparse.Namespace) -> str | None:
     compose_dir = cast(str | None, getattr(parsed, "compose_dir", None))
     if compose_dir: