kekkai-cli 1.0.5__tar.gz → 1.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- kekkai_cli-1.1.0/PKG-INFO +359 -0
- kekkai_cli-1.1.0/README.md +348 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/pyproject.toml +5 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/cli.py +693 -14
- kekkai_cli-1.1.0/src/kekkai/compliance/__init__.py +68 -0
- kekkai_cli-1.1.0/src/kekkai/compliance/hipaa.py +235 -0
- kekkai_cli-1.1.0/src/kekkai/compliance/mappings.py +136 -0
- kekkai_cli-1.1.0/src/kekkai/compliance/owasp.py +517 -0
- kekkai_cli-1.1.0/src/kekkai/compliance/owasp_agentic.py +267 -0
- kekkai_cli-1.1.0/src/kekkai/compliance/pci_dss.py +205 -0
- kekkai_cli-1.1.0/src/kekkai/compliance/soc2.py +209 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/dojo.py +91 -14
- kekkai_cli-1.1.0/src/kekkai/fix/__init__.py +47 -0
- kekkai_cli-1.1.0/src/kekkai/fix/audit.py +278 -0
- kekkai_cli-1.1.0/src/kekkai/fix/differ.py +427 -0
- kekkai_cli-1.1.0/src/kekkai/fix/engine.py +500 -0
- kekkai_cli-1.1.0/src/kekkai/fix/prompts.py +251 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/output.py +10 -12
- kekkai_cli-1.1.0/src/kekkai/report/__init__.py +41 -0
- kekkai_cli-1.1.0/src/kekkai/report/compliance_matrix.py +98 -0
- kekkai_cli-1.1.0/src/kekkai/report/generator.py +365 -0
- kekkai_cli-1.1.0/src/kekkai/report/html.py +69 -0
- kekkai_cli-1.1.0/src/kekkai/report/pdf.py +63 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/container.py +33 -3
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/gitleaks.py +3 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/semgrep.py +1 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/trivy.py +1 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/model_adapter.py +143 -1
- kekkai_cli-1.1.0/src/kekkai_cli.egg-info/PKG-INFO +359 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_cli.egg-info/SOURCES.txt +21 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/enterprise/__init__.py +15 -2
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/enterprise/licensing.py +88 -22
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/web.py +9 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_cli_output.py +55 -10
- kekkai_cli-1.1.0/tests/test_compliance.py +580 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_enterprise_licensing.py +87 -34
- kekkai_cli-1.1.0/tests/test_fix_engine.py +416 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_dojo.py +71 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_dojo_cli.py +9 -3
- kekkai_cli-1.1.0/tests/test_report.py +393 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_container.py +40 -0
- kekkai_cli-1.1.0/tests/test_scanner_digest_defaults.py +83 -0
- kekkai_cli-1.0.5/PKG-INFO +0 -135
- kekkai_cli-1.0.5/README.md +0 -124
- kekkai_cli-1.0.5/src/kekkai_cli.egg-info/PKG-INFO +0 -135
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/setup.cfg +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/config.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/dojo_import.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/github/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/github/commenter.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/github/models.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/github/sanitizer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/installer/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/installer/errors.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/installer/extract.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/installer/manager.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/installer/manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/installer/verify.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/paths.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/policy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/runner.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/backends/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/backends/base.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/backends/docker.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/backends/native.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/base.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/falco.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/url_policy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/scanners/zap.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/artifacts.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/chunking.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/core.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/mermaid.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/prompts.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/threatflow/sanitizer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/app.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/audit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/ignore.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/models.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/screens.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai/triage/widgets.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_cli.egg-info/dependency_links.txt +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_cli.egg-info/entry_points.txt +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_cli.egg-info/requires.txt +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_cli.egg-info/top_level.txt +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/ci/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/ci/benchmarks.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/ci/metadata.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/ci/validators.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/docker/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/docker/metadata.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/docker/sbom.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/docker/security.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/docker/signing.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/slsa/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/slsa/verify.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/windows/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/windows/chocolatey.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/windows/installer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/windows/scoop.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/kekkai_core/windows/validators.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/api.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/auth.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/enterprise/audit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/enterprise/rbac.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/enterprise/saml.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/backup.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/log_shipper.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/monitoring.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/restore.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/secrets.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/ops/upgrade.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/tenants.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/src/portal/uploads.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_dojo_import.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_enterprise_audit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_enterprise_rbac.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_enterprise_saml.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_github_commenter_filter.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_github_commenter_format.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_github_commenter_limit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_github_commenter_sanitize.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_installer_checksum.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_installer_extract.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_installer_manager.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_installer_manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_installer_platform.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_cli.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_config.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_paths.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_kekkai_runner.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_mermaid.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_ops_backup.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_ops_log_shipper.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_ops_monitoring.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_ops_restore.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_ops_secrets.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_ops_upgrade.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_policy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_portal_api.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_portal_auth.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_portal_tenants.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_portal_uploads.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_portal_web.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_backends.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_base.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_falco.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_gitleaks.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_native.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_semgrep.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_trivy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_scanner_zap.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_slsa_provenance.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_threatflow_chunking.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_threatflow_model_adapter.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_threatflow_prompts.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_threatflow_redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_threatflow_sanitizer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_triage_audit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_triage_ignore.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_triage_models.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.0}/tests/test_url_policy.py +0 -0
|
@@ -0,0 +1,359 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: kekkai-cli
|
|
3
|
+
Version: 1.1.0
|
|
4
|
+
Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
|
|
5
|
+
Requires-Python: >=3.12
|
|
6
|
+
Description-Content-Type: text/markdown
|
|
7
|
+
Requires-Dist: rich>=13.0.0
|
|
8
|
+
Requires-Dist: jsonschema>=4.20.0
|
|
9
|
+
Requires-Dist: textual>=0.50.0
|
|
10
|
+
Requires-Dist: httpx>=0.24.0
|
|
11
|
+
|
|
12
|
+
<p align="center">
|
|
13
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
|
|
14
|
+
</p>
|
|
15
|
+
|
|
16
|
+
<p align="center"><strong>Security orchestration at developer speed.</strong></p>
|
|
17
|
+
<p align="center"><i>One tool for the entire AppSec lifecycle: Predict, Detect, Triage, Manage.</i></p>
|
|
18
|
+
|
|
19
|
+
<p align="center">
|
|
20
|
+
<img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
|
|
21
|
+
<img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
|
|
22
|
+
<img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
|
|
23
|
+
</p>
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Kekkai
|
|
28
|
+
|
|
29
|
+
Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
|
|
30
|
+
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## The Five Pillars
|
|
36
|
+
|
|
37
|
+
| Pillar | Feature | Command | Description |
|
|
38
|
+
|--------|---------|---------|-------------|
|
|
39
|
+
| 🔮 **Predict** | AI Threat Modeling | `kekkai threatflow` | Generate STRIDE threat models before writing code |
|
|
40
|
+
| 🔍 **Detect** | Unified Scanning | `kekkai scan` | Run Trivy, Semgrep, Gitleaks in isolated containers |
|
|
41
|
+
| ✅ **Triage** | Interactive Review | `kekkai triage` | Review findings in a terminal UI, mark false positives |
|
|
42
|
+
| 🚦 **Gate** | CI/CD Policy | `kekkai scan --ci` | Break builds on severity thresholds |
|
|
43
|
+
| 📊 **Manage** | DefectDojo | `kekkai dojo up` | Spin up vulnerability management in 60 seconds |
|
|
44
|
+
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
## Quick Start (60 Seconds)
|
|
48
|
+
|
|
49
|
+
### 1. Install
|
|
50
|
+
|
|
51
|
+
```bash
|
|
52
|
+
pipx install kekkai-cli
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
### 2. Predict (Threat Model)
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
kekkai threatflow --repo . --model-mode local
|
|
59
|
+
# Generates THREATS.md with STRIDE analysis and Data Flow Diagram
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
### 3. Detect (Scan)
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
kekkai scan
|
|
66
|
+
# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
|
|
67
|
+
# Outputs unified kekkai-report.json
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
### 4. Triage (Review)
|
|
71
|
+
|
|
72
|
+
```bash
|
|
73
|
+
kekkai triage
|
|
74
|
+
# Interactive TUI to accept, reject, or ignore findings
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
### 5. Manage (DefectDojo)
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
kekkai dojo up --wait
|
|
81
|
+
kekkai upload
|
|
82
|
+
# Full vulnerability management platform + automated import
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
---
|
|
86
|
+
|
|
87
|
+
## Why Kekkai?
|
|
88
|
+
|
|
89
|
+
| Capability | Manual Approach | Kekkai |
|
|
90
|
+
|------------|-----------------|--------|
|
|
91
|
+
| **Tooling** | Install/update 5+ tools individually | One binary, auto-pulls scanner containers |
|
|
92
|
+
| **Output** | Parse 5 different JSON formats | Unified `kekkai-report.json` |
|
|
93
|
+
| **Threat Modeling** | Expensive consultants or whiteboarding | AI-generated `THREATS.md` locally |
|
|
94
|
+
| **DefectDojo** | 200-line docker-compose + debugging | `kekkai dojo up` (one command) |
|
|
95
|
+
| **Triage** | Read JSON files manually | Interactive terminal UI |
|
|
96
|
+
| **CI/CD** | Complex bash scripts | `kekkai scan --ci --fail-on high` |
|
|
97
|
+
| **PR Feedback** | Manual security review comments | Auto-comments on GitHub PRs |
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## Feature Deep Dives
|
|
102
|
+
|
|
103
|
+
### 🔮 ThreatFlow — AI-Powered Threat Modeling
|
|
104
|
+
|
|
105
|
+
Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
# Ollama (recommended - easy setup, privacy-preserving)
|
|
109
|
+
ollama pull mistral
|
|
110
|
+
kekkai threatflow --repo . --model-mode ollama --model-name mistral
|
|
111
|
+
|
|
112
|
+
# Local GGUF model (requires llama-cpp-python)
|
|
113
|
+
kekkai threatflow --repo . --model-mode local --model-path ./mistral-7b.gguf
|
|
114
|
+
|
|
115
|
+
# Remote API (faster, requires API key)
|
|
116
|
+
export KEKKAI_THREATFLOW_API_KEY="sk-..."
|
|
117
|
+
kekkai threatflow --repo . --model-mode openai
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
**Output:** `THREATS.md` containing:
|
|
121
|
+
- Attack surface analysis
|
|
122
|
+
- STRIDE threat classification
|
|
123
|
+
- Mermaid.js architecture diagram
|
|
124
|
+
- Recommended mitigations
|
|
125
|
+
|
|
126
|
+
[Full ThreatFlow Documentation →](docs/threatflow/README.md)
|
|
127
|
+
|
|
128
|
+
---
|
|
129
|
+
|
|
130
|
+
### 🔍 Unified Scanning
|
|
131
|
+
|
|
132
|
+
Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container with security hardening.
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
kekkai scan # Scan current directory
|
|
136
|
+
kekkai scan --repo /path/to/project # Scan specific path
|
|
137
|
+
kekkai scan --output results.json # Custom output path
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
**Scanners Included:**
|
|
141
|
+
| Scanner | Finds | Image |
|
|
142
|
+
|---------|-------|-------|
|
|
143
|
+
| Trivy | CVEs in dependencies | `aquasec/trivy:latest` |
|
|
144
|
+
| Semgrep | Code vulnerabilities | `semgrep/semgrep:latest` |
|
|
145
|
+
| Gitleaks | Hardcoded secrets | `zricethezav/gitleaks:latest` |
|
|
146
|
+
|
|
147
|
+
**Container Security:**
|
|
148
|
+
- Read-only filesystem
|
|
149
|
+
- No network access
|
|
150
|
+
- Memory limited (2GB)
|
|
151
|
+
- No privilege escalation
|
|
152
|
+
|
|
153
|
+
---
|
|
154
|
+
|
|
155
|
+
### ✅ Interactive Triage TUI
|
|
156
|
+
|
|
157
|
+
Stop reading JSON. Review security findings in your terminal.
|
|
158
|
+
|
|
159
|
+
```bash
|
|
160
|
+
kekkai triage
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
**Features:**
|
|
164
|
+
- Navigate findings with keyboard
|
|
165
|
+
- Mark as: Accept, Reject, False Positive, Ignore
|
|
166
|
+
- Filter by severity, scanner, or status
|
|
167
|
+
- Persist decisions in `.kekkai-ignore`
|
|
168
|
+
- Export triaged results
|
|
169
|
+
|
|
170
|
+
<!-- Screenshot placeholder:  -->
|
|
171
|
+
|
|
172
|
+
[Full Triage Documentation →](docs/triage/README.md)
|
|
173
|
+
|
|
174
|
+
---
|
|
175
|
+
|
|
176
|
+
### 🚦 CI/CD Policy Gate
|
|
177
|
+
|
|
178
|
+
Automate security enforcement in your pipelines.
|
|
179
|
+
|
|
180
|
+
```bash
|
|
181
|
+
# Fail on any critical or high findings
|
|
182
|
+
kekkai scan --ci --fail-on high
|
|
183
|
+
|
|
184
|
+
# Fail only on critical
|
|
185
|
+
kekkai scan --ci --fail-on critical
|
|
186
|
+
|
|
187
|
+
# Custom threshold: fail on 5+ medium findings
|
|
188
|
+
kekkai scan --ci --fail-on medium --max-findings 5
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
**Exit Codes:**
|
|
192
|
+
| Code | Meaning |
|
|
193
|
+
|------|---------|
|
|
194
|
+
| 0 | No findings above threshold |
|
|
195
|
+
| 1 | Findings exceed threshold |
|
|
196
|
+
| 2 | Scanner error |
|
|
197
|
+
|
|
198
|
+
**GitHub Actions Example:**
|
|
199
|
+
|
|
200
|
+
```yaml
|
|
201
|
+
- name: Security Scan
|
|
202
|
+
run: |
|
|
203
|
+
pipx install kekkai-cli
|
|
204
|
+
kekkai scan --ci --fail-on high
|
|
205
|
+
```
|
|
206
|
+
|
|
207
|
+
[Full CI Documentation →](docs/ci/ci-mode.md)
|
|
208
|
+
|
|
209
|
+
---
|
|
210
|
+
|
|
211
|
+
### 📊 DefectDojo Integration
|
|
212
|
+
|
|
213
|
+
Spin up a complete vulnerability management platform locally.
|
|
214
|
+
|
|
215
|
+
```bash
|
|
216
|
+
kekkai dojo up --wait # Start DefectDojo (Nginx, Postgres, Redis, Celery)
|
|
217
|
+
kekkai dojo status # Check service health
|
|
218
|
+
kekkai upload # Import scan results
|
|
219
|
+
kekkai dojo down # Stop and clean up (removes volumes)
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
**What You Get:**
|
|
223
|
+
- DefectDojo web UI at `http://localhost:8080`
|
|
224
|
+
- Automatic credential generation
|
|
225
|
+
- Pre-configured for Kekkai imports
|
|
226
|
+
- Clean teardown (no orphaned volumes)
|
|
227
|
+
|
|
228
|
+
[Full Dojo Documentation →](docs/dojo/dojo.md)
|
|
229
|
+
|
|
230
|
+
---
|
|
231
|
+
|
|
232
|
+
### 🔔 GitHub PR Comments
|
|
233
|
+
|
|
234
|
+
Get security feedback directly in pull requests.
|
|
235
|
+
|
|
236
|
+
```bash
|
|
237
|
+
export GITHUB_TOKEN="ghp_..."
|
|
238
|
+
kekkai scan --github-comment
|
|
239
|
+
```
|
|
240
|
+
|
|
241
|
+
Kekkai will:
|
|
242
|
+
1. Run all scanners
|
|
243
|
+
2. Post findings as PR review comments
|
|
244
|
+
3. Annotate specific lines with inline comments
|
|
245
|
+
|
|
246
|
+
---
|
|
247
|
+
|
|
248
|
+
## Installation
|
|
249
|
+
|
|
250
|
+
### pipx (Recommended)
|
|
251
|
+
|
|
252
|
+
Isolated environment, no conflicts with system Python.
|
|
253
|
+
|
|
254
|
+
```bash
|
|
255
|
+
pipx install kekkai-cli
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
### Homebrew (macOS/Linux)
|
|
259
|
+
|
|
260
|
+
```bash
|
|
261
|
+
brew install kademoslabs/tap/kekkai
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
### Scoop (Windows)
|
|
265
|
+
|
|
266
|
+
```bash
|
|
267
|
+
scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
|
|
268
|
+
scoop install kekkai
|
|
269
|
+
```
|
|
270
|
+
|
|
271
|
+
### Docker (No Python Required)
|
|
272
|
+
|
|
273
|
+
```bash
|
|
274
|
+
docker pull kademoslabs/kekkai:latest
|
|
275
|
+
alias kekkai='docker run --rm -v "$(pwd):/repo" kademoslabs/kekkai:latest'
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
### pip (Traditional)
|
|
279
|
+
|
|
280
|
+
```bash
|
|
281
|
+
pip install kekkai-cli
|
|
282
|
+
```
|
|
283
|
+
|
|
284
|
+
---
|
|
285
|
+
|
|
286
|
+
## Enterprise Features — Kekkai Portal
|
|
287
|
+
|
|
288
|
+
For teams that need centralized management, **Kekkai Portal** provides:
|
|
289
|
+
|
|
290
|
+
| Feature | Description |
|
|
291
|
+
|---------|-------------|
|
|
292
|
+
| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace ([Setup Guide](docs/portal/saml-setup.md)) |
|
|
293
|
+
| **Role-Based Access Control** | Fine-grained permissions per team/project ([RBAC Guide](docs/portal/rbac.md)) |
|
|
294
|
+
| **Multi-Tenant Architecture** | Isolated environments per organization ([Architecture](docs/portal/multi-tenant.md)) |
|
|
295
|
+
| **Aggregated Dashboards** | Centralized view of all CLI scan results |
|
|
296
|
+
| **Audit Logging** | Cryptographically signed compliance trails |
|
|
297
|
+
|
|
298
|
+
**Upgrade Path:**
|
|
299
|
+
- CLI users can sync results to Portal: `kekkai upload` ([Sync Guide](docs/portal/cli-sync.md))
|
|
300
|
+
- Portal provides dashboards for security managers
|
|
301
|
+
- Self-hosted or Kademos-managed options ([Deployment Guide](docs/portal/deployment.md))
|
|
302
|
+
|
|
303
|
+
[Contact us for Portal access →](mailto:sales@kademos.org)
|
|
304
|
+
|
|
305
|
+
---
|
|
306
|
+
|
|
307
|
+
## Security
|
|
308
|
+
|
|
309
|
+
Kekkai is designed with security as a core principle:
|
|
310
|
+
|
|
311
|
+
- **Container Isolation**: Scanners run in hardened Docker containers
|
|
312
|
+
- **No Network Access**: Containers cannot reach external networks
|
|
313
|
+
- **Local-First AI**: ThreatFlow can run entirely on your machine
|
|
314
|
+
- **SLSA Level 3**: Release artifacts include provenance attestations
|
|
315
|
+
- **Signed Images**: Docker images are Cosign-signed
|
|
316
|
+
|
|
317
|
+
For vulnerability reports, see [SECURITY.md](SECURITY.md).
|
|
318
|
+
|
|
319
|
+
---
|
|
320
|
+
|
|
321
|
+
## Documentation
|
|
322
|
+
|
|
323
|
+
| Guide | Description |
|
|
324
|
+
|-------|-------------|
|
|
325
|
+
| [Installation](docs/README.md#installation-methods) | All installation methods |
|
|
326
|
+
| [ThreatFlow](docs/threatflow/README.md) | AI threat modeling setup |
|
|
327
|
+
| [Dojo Quick Start](docs/dojo/dojo-quickstart.md) | DefectDojo in 5 minutes |
|
|
328
|
+
| [CI Mode](docs/ci/ci-mode.md) | Pipeline integration |
|
|
329
|
+
| [Portal](docs/portal/README.md) | Enterprise features overview |
|
|
330
|
+
| [Portal SSO](docs/portal/saml-setup.md) | SAML 2.0 SSO configuration |
|
|
331
|
+
| [Portal RBAC](docs/portal/rbac.md) | Role-based access control |
|
|
332
|
+
| [Portal Deployment](docs/portal/deployment.md) | Self-hosted deployment |
|
|
333
|
+
| [Security](docs/security/slsa-provenance.md) | SLSA provenance verification |
|
|
334
|
+
|
|
335
|
+
---
|
|
336
|
+
|
|
337
|
+
## CI/CD Status
|
|
338
|
+
|
|
339
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml)
|
|
340
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml)
|
|
341
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml)
|
|
342
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml)
|
|
343
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml)
|
|
344
|
+
|
|
345
|
+
---
|
|
346
|
+
|
|
347
|
+
## Contributing
|
|
348
|
+
|
|
349
|
+
We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
|
|
350
|
+
|
|
351
|
+
---
|
|
352
|
+
|
|
353
|
+
## License
|
|
354
|
+
|
|
355
|
+
Apache-2.0 — See [LICENSE](LICENSE) for details.
|
|
356
|
+
|
|
357
|
+
---
|
|
358
|
+
|
|
359
|
+
<p align="center"><i>Built by <a href="https://kademos.org">Kademos Labs</a></i></p>
|
|
@@ -0,0 +1,348 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
|
|
3
|
+
</p>
|
|
4
|
+
|
|
5
|
+
<p align="center"><strong>Security orchestration at developer speed.</strong></p>
|
|
6
|
+
<p align="center"><i>One tool for the entire AppSec lifecycle: Predict, Detect, Triage, Manage.</i></p>
|
|
7
|
+
|
|
8
|
+
<p align="center">
|
|
9
|
+
<img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
|
|
10
|
+
<img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
|
|
11
|
+
<img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
|
|
12
|
+
</p>
|
|
13
|
+
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
# Kekkai
|
|
17
|
+
|
|
18
|
+
Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
|
|
19
|
+
|
|
20
|
+
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
## The Five Pillars
|
|
25
|
+
|
|
26
|
+
| Pillar | Feature | Command | Description |
|
|
27
|
+
|--------|---------|---------|-------------|
|
|
28
|
+
| 🔮 **Predict** | AI Threat Modeling | `kekkai threatflow` | Generate STRIDE threat models before writing code |
|
|
29
|
+
| 🔍 **Detect** | Unified Scanning | `kekkai scan` | Run Trivy, Semgrep, Gitleaks in isolated containers |
|
|
30
|
+
| ✅ **Triage** | Interactive Review | `kekkai triage` | Review findings in a terminal UI, mark false positives |
|
|
31
|
+
| 🚦 **Gate** | CI/CD Policy | `kekkai scan --ci` | Break builds on severity thresholds |
|
|
32
|
+
| 📊 **Manage** | DefectDojo | `kekkai dojo up` | Spin up vulnerability management in 60 seconds |
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## Quick Start (60 Seconds)
|
|
37
|
+
|
|
38
|
+
### 1. Install
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
pipx install kekkai-cli
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
### 2. Predict (Threat Model)
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
kekkai threatflow --repo . --model-mode local
|
|
48
|
+
# Generates THREATS.md with STRIDE analysis and Data Flow Diagram
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
### 3. Detect (Scan)
|
|
52
|
+
|
|
53
|
+
```bash
|
|
54
|
+
kekkai scan
|
|
55
|
+
# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
|
|
56
|
+
# Outputs unified kekkai-report.json
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
### 4. Triage (Review)
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
kekkai triage
|
|
63
|
+
# Interactive TUI to accept, reject, or ignore findings
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
### 5. Manage (DefectDojo)
|
|
67
|
+
|
|
68
|
+
```bash
|
|
69
|
+
kekkai dojo up --wait
|
|
70
|
+
kekkai upload
|
|
71
|
+
# Full vulnerability management platform + automated import
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## Why Kekkai?
|
|
77
|
+
|
|
78
|
+
| Capability | Manual Approach | Kekkai |
|
|
79
|
+
|------------|-----------------|--------|
|
|
80
|
+
| **Tooling** | Install/update 5+ tools individually | One binary, auto-pulls scanner containers |
|
|
81
|
+
| **Output** | Parse 5 different JSON formats | Unified `kekkai-report.json` |
|
|
82
|
+
| **Threat Modeling** | Expensive consultants or whiteboarding | AI-generated `THREATS.md` locally |
|
|
83
|
+
| **DefectDojo** | 200-line docker-compose + debugging | `kekkai dojo up` (one command) |
|
|
84
|
+
| **Triage** | Read JSON files manually | Interactive terminal UI |
|
|
85
|
+
| **CI/CD** | Complex bash scripts | `kekkai scan --ci --fail-on high` |
|
|
86
|
+
| **PR Feedback** | Manual security review comments | Auto-comments on GitHub PRs |
|
|
87
|
+
|
|
88
|
+
---
|
|
89
|
+
|
|
90
|
+
## Feature Deep Dives
|
|
91
|
+
|
|
92
|
+
### 🔮 ThreatFlow — AI-Powered Threat Modeling
|
|
93
|
+
|
|
94
|
+
Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
|
|
95
|
+
|
|
96
|
+
```bash
|
|
97
|
+
# Ollama (recommended - easy setup, privacy-preserving)
|
|
98
|
+
ollama pull mistral
|
|
99
|
+
kekkai threatflow --repo . --model-mode ollama --model-name mistral
|
|
100
|
+
|
|
101
|
+
# Local GGUF model (requires llama-cpp-python)
|
|
102
|
+
kekkai threatflow --repo . --model-mode local --model-path ./mistral-7b.gguf
|
|
103
|
+
|
|
104
|
+
# Remote API (faster, requires API key)
|
|
105
|
+
export KEKKAI_THREATFLOW_API_KEY="sk-..."
|
|
106
|
+
kekkai threatflow --repo . --model-mode openai
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
**Output:** `THREATS.md` containing:
|
|
110
|
+
- Attack surface analysis
|
|
111
|
+
- STRIDE threat classification
|
|
112
|
+
- Mermaid.js architecture diagram
|
|
113
|
+
- Recommended mitigations
|
|
114
|
+
|
|
115
|
+
[Full ThreatFlow Documentation →](docs/threatflow/README.md)
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
### 🔍 Unified Scanning
|
|
120
|
+
|
|
121
|
+
Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container with security hardening.
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
kekkai scan # Scan current directory
|
|
125
|
+
kekkai scan --repo /path/to/project # Scan specific path
|
|
126
|
+
kekkai scan --output results.json # Custom output path
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
**Scanners Included:**
|
|
130
|
+
| Scanner | Finds | Image |
|
|
131
|
+
|---------|-------|-------|
|
|
132
|
+
| Trivy | CVEs in dependencies | `aquasec/trivy:latest` |
|
|
133
|
+
| Semgrep | Code vulnerabilities | `semgrep/semgrep:latest` |
|
|
134
|
+
| Gitleaks | Hardcoded secrets | `zricethezav/gitleaks:latest` |
|
|
135
|
+
|
|
136
|
+
**Container Security:**
|
|
137
|
+
- Read-only filesystem
|
|
138
|
+
- No network access
|
|
139
|
+
- Memory limited (2GB)
|
|
140
|
+
- No privilege escalation
|
|
141
|
+
|
|
142
|
+
---
|
|
143
|
+
|
|
144
|
+
### ✅ Interactive Triage TUI
|
|
145
|
+
|
|
146
|
+
Stop reading JSON. Review security findings in your terminal.
|
|
147
|
+
|
|
148
|
+
```bash
|
|
149
|
+
kekkai triage
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
**Features:**
|
|
153
|
+
- Navigate findings with keyboard
|
|
154
|
+
- Mark as: Accept, Reject, False Positive, Ignore
|
|
155
|
+
- Filter by severity, scanner, or status
|
|
156
|
+
- Persist decisions in `.kekkai-ignore`
|
|
157
|
+
- Export triaged results
|
|
158
|
+
|
|
159
|
+
<!-- Screenshot placeholder:  -->
|
|
160
|
+
|
|
161
|
+
[Full Triage Documentation →](docs/triage/README.md)
|
|
162
|
+
|
|
163
|
+
---
|
|
164
|
+
|
|
165
|
+
### 🚦 CI/CD Policy Gate
|
|
166
|
+
|
|
167
|
+
Automate security enforcement in your pipelines.
|
|
168
|
+
|
|
169
|
+
```bash
|
|
170
|
+
# Fail on any critical or high findings
|
|
171
|
+
kekkai scan --ci --fail-on high
|
|
172
|
+
|
|
173
|
+
# Fail only on critical
|
|
174
|
+
kekkai scan --ci --fail-on critical
|
|
175
|
+
|
|
176
|
+
# Custom threshold: fail on 5+ medium findings
|
|
177
|
+
kekkai scan --ci --fail-on medium --max-findings 5
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
**Exit Codes:**
|
|
181
|
+
| Code | Meaning |
|
|
182
|
+
|------|---------|
|
|
183
|
+
| 0 | No findings above threshold |
|
|
184
|
+
| 1 | Findings exceed threshold |
|
|
185
|
+
| 2 | Scanner error |
|
|
186
|
+
|
|
187
|
+
**GitHub Actions Example:**
|
|
188
|
+
|
|
189
|
+
```yaml
|
|
190
|
+
- name: Security Scan
|
|
191
|
+
run: |
|
|
192
|
+
pipx install kekkai-cli
|
|
193
|
+
kekkai scan --ci --fail-on high
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
[Full CI Documentation →](docs/ci/ci-mode.md)
|
|
197
|
+
|
|
198
|
+
---
|
|
199
|
+
|
|
200
|
+
### 📊 DefectDojo Integration
|
|
201
|
+
|
|
202
|
+
Spin up a complete vulnerability management platform locally.
|
|
203
|
+
|
|
204
|
+
```bash
|
|
205
|
+
kekkai dojo up --wait # Start DefectDojo (Nginx, Postgres, Redis, Celery)
|
|
206
|
+
kekkai dojo status # Check service health
|
|
207
|
+
kekkai upload # Import scan results
|
|
208
|
+
kekkai dojo down # Stop and clean up (removes volumes)
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
**What You Get:**
|
|
212
|
+
- DefectDojo web UI at `http://localhost:8080`
|
|
213
|
+
- Automatic credential generation
|
|
214
|
+
- Pre-configured for Kekkai imports
|
|
215
|
+
- Clean teardown (no orphaned volumes)
|
|
216
|
+
|
|
217
|
+
[Full Dojo Documentation →](docs/dojo/dojo.md)
|
|
218
|
+
|
|
219
|
+
---
|
|
220
|
+
|
|
221
|
+
### 🔔 GitHub PR Comments
|
|
222
|
+
|
|
223
|
+
Get security feedback directly in pull requests.
|
|
224
|
+
|
|
225
|
+
```bash
|
|
226
|
+
export GITHUB_TOKEN="ghp_..."
|
|
227
|
+
kekkai scan --github-comment
|
|
228
|
+
```
|
|
229
|
+
|
|
230
|
+
Kekkai will:
|
|
231
|
+
1. Run all scanners
|
|
232
|
+
2. Post findings as PR review comments
|
|
233
|
+
3. Annotate specific lines with inline comments
|
|
234
|
+
|
|
235
|
+
---
|
|
236
|
+
|
|
237
|
+
## Installation
|
|
238
|
+
|
|
239
|
+
### pipx (Recommended)
|
|
240
|
+
|
|
241
|
+
Isolated environment, no conflicts with system Python.
|
|
242
|
+
|
|
243
|
+
```bash
|
|
244
|
+
pipx install kekkai-cli
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
### Homebrew (macOS/Linux)
|
|
248
|
+
|
|
249
|
+
```bash
|
|
250
|
+
brew install kademoslabs/tap/kekkai
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
### Scoop (Windows)
|
|
254
|
+
|
|
255
|
+
```bash
|
|
256
|
+
scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
|
|
257
|
+
scoop install kekkai
|
|
258
|
+
```
|
|
259
|
+
|
|
260
|
+
### Docker (No Python Required)
|
|
261
|
+
|
|
262
|
+
```bash
|
|
263
|
+
docker pull kademoslabs/kekkai:latest
|
|
264
|
+
alias kekkai='docker run --rm -v "$(pwd):/repo" kademoslabs/kekkai:latest'
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
### pip (Traditional)
|
|
268
|
+
|
|
269
|
+
```bash
|
|
270
|
+
pip install kekkai-cli
|
|
271
|
+
```
|
|
272
|
+
|
|
273
|
+
---
|
|
274
|
+
|
|
275
|
+
## Enterprise Features — Kekkai Portal
|
|
276
|
+
|
|
277
|
+
For teams that need centralized management, **Kekkai Portal** provides:
|
|
278
|
+
|
|
279
|
+
| Feature | Description |
|
|
280
|
+
|---------|-------------|
|
|
281
|
+
| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace ([Setup Guide](docs/portal/saml-setup.md)) |
|
|
282
|
+
| **Role-Based Access Control** | Fine-grained permissions per team/project ([RBAC Guide](docs/portal/rbac.md)) |
|
|
283
|
+
| **Multi-Tenant Architecture** | Isolated environments per organization ([Architecture](docs/portal/multi-tenant.md)) |
|
|
284
|
+
| **Aggregated Dashboards** | Centralized view of all CLI scan results |
|
|
285
|
+
| **Audit Logging** | Cryptographically signed compliance trails |
|
|
286
|
+
|
|
287
|
+
**Upgrade Path:**
|
|
288
|
+
- CLI users can sync results to Portal: `kekkai upload` ([Sync Guide](docs/portal/cli-sync.md))
|
|
289
|
+
- Portal provides dashboards for security managers
|
|
290
|
+
- Self-hosted or Kademos-managed options ([Deployment Guide](docs/portal/deployment.md))
|
|
291
|
+
|
|
292
|
+
[Contact us for Portal access →](mailto:sales@kademos.org)
|
|
293
|
+
|
|
294
|
+
---
|
|
295
|
+
|
|
296
|
+
## Security
|
|
297
|
+
|
|
298
|
+
Kekkai is designed with security as a core principle:
|
|
299
|
+
|
|
300
|
+
- **Container Isolation**: Scanners run in hardened Docker containers
|
|
301
|
+
- **No Network Access**: Containers cannot reach external networks
|
|
302
|
+
- **Local-First AI**: ThreatFlow can run entirely on your machine
|
|
303
|
+
- **SLSA Level 3**: Release artifacts include provenance attestations
|
|
304
|
+
- **Signed Images**: Docker images are Cosign-signed
|
|
305
|
+
|
|
306
|
+
For vulnerability reports, see [SECURITY.md](SECURITY.md).
|
|
307
|
+
|
|
308
|
+
---
|
|
309
|
+
|
|
310
|
+
## Documentation
|
|
311
|
+
|
|
312
|
+
| Guide | Description |
|
|
313
|
+
|-------|-------------|
|
|
314
|
+
| [Installation](docs/README.md#installation-methods) | All installation methods |
|
|
315
|
+
| [ThreatFlow](docs/threatflow/README.md) | AI threat modeling setup |
|
|
316
|
+
| [Dojo Quick Start](docs/dojo/dojo-quickstart.md) | DefectDojo in 5 minutes |
|
|
317
|
+
| [CI Mode](docs/ci/ci-mode.md) | Pipeline integration |
|
|
318
|
+
| [Portal](docs/portal/README.md) | Enterprise features overview |
|
|
319
|
+
| [Portal SSO](docs/portal/saml-setup.md) | SAML 2.0 SSO configuration |
|
|
320
|
+
| [Portal RBAC](docs/portal/rbac.md) | Role-based access control |
|
|
321
|
+
| [Portal Deployment](docs/portal/deployment.md) | Self-hosted deployment |
|
|
322
|
+
| [Security](docs/security/slsa-provenance.md) | SLSA provenance verification |
|
|
323
|
+
|
|
324
|
+
---
|
|
325
|
+
|
|
326
|
+
## CI/CD Status
|
|
327
|
+
|
|
328
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml)
|
|
329
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml)
|
|
330
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml)
|
|
331
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml)
|
|
332
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml)
|
|
333
|
+
|
|
334
|
+
---
|
|
335
|
+
|
|
336
|
+
## Contributing
|
|
337
|
+
|
|
338
|
+
We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
|
|
339
|
+
|
|
340
|
+
---
|
|
341
|
+
|
|
342
|
+
## License
|
|
343
|
+
|
|
344
|
+
Apache-2.0 — See [LICENSE](LICENSE) for details.
|
|
345
|
+
|
|
346
|
+
---
|
|
347
|
+
|
|
348
|
+
<p align="center"><i>Built by <a href="https://kademos.org">Kademos Labs</a></i></p>
|