kekkai-cli 1.0.5__tar.gz → 1.1.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- kekkai_cli-1.1.1/PKG-INFO +379 -0
- kekkai_cli-1.1.1/README.md +368 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/pyproject.toml +6 -3
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/cli.py +789 -19
- kekkai_cli-1.1.1/src/kekkai/compliance/__init__.py +68 -0
- kekkai_cli-1.1.1/src/kekkai/compliance/hipaa.py +235 -0
- kekkai_cli-1.1.1/src/kekkai/compliance/mappings.py +136 -0
- kekkai_cli-1.1.1/src/kekkai/compliance/owasp.py +517 -0
- kekkai_cli-1.1.1/src/kekkai/compliance/owasp_agentic.py +267 -0
- kekkai_cli-1.1.1/src/kekkai/compliance/pci_dss.py +205 -0
- kekkai_cli-1.1.1/src/kekkai/compliance/soc2.py +209 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/dojo.py +91 -14
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/dojo_import.py +9 -1
- kekkai_cli-1.1.1/src/kekkai/fix/__init__.py +47 -0
- kekkai_cli-1.1.1/src/kekkai/fix/audit.py +278 -0
- kekkai_cli-1.1.1/src/kekkai/fix/differ.py +427 -0
- kekkai_cli-1.1.1/src/kekkai/fix/engine.py +500 -0
- kekkai_cli-1.1.1/src/kekkai/fix/prompts.py +251 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/output.py +10 -12
- kekkai_cli-1.1.1/src/kekkai/report/__init__.py +41 -0
- kekkai_cli-1.1.1/src/kekkai/report/compliance_matrix.py +98 -0
- kekkai_cli-1.1.1/src/kekkai/report/generator.py +365 -0
- kekkai_cli-1.1.1/src/kekkai/report/html.py +69 -0
- kekkai_cli-1.1.1/src/kekkai/report/pdf.py +63 -0
- kekkai_cli-1.1.1/src/kekkai/report/unified.py +226 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/container.py +33 -3
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/gitleaks.py +3 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/semgrep.py +1 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/trivy.py +1 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/model_adapter.py +143 -1
- kekkai_cli-1.1.1/src/kekkai/triage/__init__.py +86 -0
- kekkai_cli-1.1.1/src/kekkai/triage/loader.py +196 -0
- kekkai_cli-1.1.1/src/kekkai_cli.egg-info/PKG-INFO +379 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_cli.egg-info/SOURCES.txt +25 -33
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_cli.egg-info/entry_points.txt +0 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_cli.egg-info/top_level.txt +0 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_cli_output.py +55 -10
- kekkai_cli-1.1.1/tests/test_compliance.py +580 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_dojo_import.py +30 -0
- kekkai_cli-1.1.1/tests/test_fix_engine.py +416 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_dojo.py +71 -1
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_dojo_cli.py +9 -3
- kekkai_cli-1.1.1/tests/test_report.py +393 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_container.py +40 -0
- kekkai_cli-1.1.1/tests/test_scanner_digest_defaults.py +83 -0
- kekkai_cli-1.1.1/tests/test_triage_loader.py +283 -0
- kekkai_cli-1.1.1/tests/test_unified_report.py +529 -0
- kekkai_cli-1.0.5/PKG-INFO +0 -135
- kekkai_cli-1.0.5/README.md +0 -124
- kekkai_cli-1.0.5/src/kekkai/triage/__init__.py +0 -33
- kekkai_cli-1.0.5/src/kekkai_cli.egg-info/PKG-INFO +0 -135
- kekkai_cli-1.0.5/src/portal/__init__.py +0 -19
- kekkai_cli-1.0.5/src/portal/api.py +0 -155
- kekkai_cli-1.0.5/src/portal/auth.py +0 -103
- kekkai_cli-1.0.5/src/portal/enterprise/__init__.py +0 -32
- kekkai_cli-1.0.5/src/portal/enterprise/audit.py +0 -435
- kekkai_cli-1.0.5/src/portal/enterprise/licensing.py +0 -342
- kekkai_cli-1.0.5/src/portal/enterprise/rbac.py +0 -276
- kekkai_cli-1.0.5/src/portal/enterprise/saml.py +0 -595
- kekkai_cli-1.0.5/src/portal/ops/__init__.py +0 -53
- kekkai_cli-1.0.5/src/portal/ops/backup.py +0 -553
- kekkai_cli-1.0.5/src/portal/ops/log_shipper.py +0 -469
- kekkai_cli-1.0.5/src/portal/ops/monitoring.py +0 -517
- kekkai_cli-1.0.5/src/portal/ops/restore.py +0 -469
- kekkai_cli-1.0.5/src/portal/ops/secrets.py +0 -408
- kekkai_cli-1.0.5/src/portal/ops/upgrade.py +0 -591
- kekkai_cli-1.0.5/src/portal/tenants.py +0 -340
- kekkai_cli-1.0.5/src/portal/uploads.py +0 -259
- kekkai_cli-1.0.5/src/portal/web.py +0 -384
- kekkai_cli-1.0.5/tests/test_enterprise_audit.py +0 -288
- kekkai_cli-1.0.5/tests/test_enterprise_licensing.py +0 -314
- kekkai_cli-1.0.5/tests/test_enterprise_rbac.py +0 -224
- kekkai_cli-1.0.5/tests/test_enterprise_saml.py +0 -326
- kekkai_cli-1.0.5/tests/test_ops_backup.py +0 -318
- kekkai_cli-1.0.5/tests/test_ops_log_shipper.py +0 -366
- kekkai_cli-1.0.5/tests/test_ops_monitoring.py +0 -379
- kekkai_cli-1.0.5/tests/test_ops_restore.py +0 -299
- kekkai_cli-1.0.5/tests/test_ops_secrets.py +0 -331
- kekkai_cli-1.0.5/tests/test_ops_upgrade.py +0 -418
- kekkai_cli-1.0.5/tests/test_portal_api.py +0 -157
- kekkai_cli-1.0.5/tests/test_portal_auth.py +0 -226
- kekkai_cli-1.0.5/tests/test_portal_tenants.py +0 -347
- kekkai_cli-1.0.5/tests/test_portal_uploads.py +0 -378
- kekkai_cli-1.0.5/tests/test_portal_web.py +0 -386
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/setup.cfg +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/config.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/github/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/github/commenter.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/github/models.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/github/sanitizer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/installer/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/installer/errors.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/installer/extract.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/installer/manager.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/installer/manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/installer/verify.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/paths.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/policy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/runner.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/backends/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/backends/base.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/backends/docker.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/backends/native.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/base.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/falco.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/url_policy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/scanners/zap.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/artifacts.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/chunking.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/core.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/mermaid.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/prompts.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/threatflow/sanitizer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/triage/app.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/triage/audit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/triage/ignore.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/triage/models.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/triage/screens.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai/triage/widgets.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_cli.egg-info/dependency_links.txt +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_cli.egg-info/requires.txt +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/ci/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/ci/benchmarks.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/ci/metadata.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/ci/validators.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/docker/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/docker/metadata.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/docker/sbom.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/docker/security.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/docker/signing.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/slsa/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/slsa/verify.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/windows/__init__.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/windows/chocolatey.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/windows/installer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/windows/scoop.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/src/kekkai_core/windows/validators.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_github_commenter_filter.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_github_commenter_format.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_github_commenter_limit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_github_commenter_sanitize.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_installer_checksum.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_installer_extract.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_installer_manager.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_installer_manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_installer_platform.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_cli.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_config.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_manifest.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_paths.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_kekkai_runner.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_mermaid.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_policy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_backends.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_base.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_falco.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_gitleaks.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_native.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_semgrep.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_trivy.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_scanner_zap.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_slsa_provenance.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_threatflow_chunking.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_threatflow_model_adapter.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_threatflow_prompts.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_threatflow_redaction.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_threatflow_sanitizer.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_triage_audit.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_triage_ignore.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_triage_models.py +0 -0
- {kekkai_cli-1.0.5 → kekkai_cli-1.1.1}/tests/test_url_policy.py +0 -0
|
@@ -0,0 +1,379 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: kekkai-cli
|
|
3
|
+
Version: 1.1.1
|
|
4
|
+
Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
|
|
5
|
+
Requires-Python: >=3.12
|
|
6
|
+
Description-Content-Type: text/markdown
|
|
7
|
+
Requires-Dist: rich>=13.0.0
|
|
8
|
+
Requires-Dist: jsonschema>=4.20.0
|
|
9
|
+
Requires-Dist: textual>=0.50.0
|
|
10
|
+
Requires-Dist: httpx>=0.24.0
|
|
11
|
+
|
|
12
|
+
<p align="center">
|
|
13
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
|
|
14
|
+
</p>
|
|
15
|
+
|
|
16
|
+
<p align="center"><strong>Security orchestration at developer speed.</strong></p>
|
|
17
|
+
<p align="center"><i>One tool for the entire AppSec lifecycle: Predict, Detect, Triage, Manage.</i></p>
|
|
18
|
+
|
|
19
|
+
<p align="center">
|
|
20
|
+
<img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
|
|
21
|
+
<img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
|
|
22
|
+
<img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
|
|
23
|
+
</p>
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Kekkai
|
|
28
|
+
|
|
29
|
+
Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
|
|
30
|
+
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## The Five Pillars
|
|
36
|
+
|
|
37
|
+
| Pillar | Feature | Command | Description |
|
|
38
|
+
|--------|---------|---------|-------------|
|
|
39
|
+
| 🔮 **Predict** | AI Threat Modeling | `kekkai threatflow` | Generate STRIDE threat models before writing code |
|
|
40
|
+
| 🔍 **Detect** | Unified Scanning | `kekkai scan` | Run Trivy, Semgrep, Gitleaks in isolated containers |
|
|
41
|
+
| ✅ **Triage** | Interactive Review | `kekkai triage` | Review findings in a terminal UI, mark false positives |
|
|
42
|
+
| 🚦 **Gate** | CI/CD Policy | `kekkai scan --ci` | Break builds on severity thresholds |
|
|
43
|
+
| 📊 **Manage** | DefectDojo | `kekkai dojo up` | Spin up vulnerability management in 60 seconds |
|
|
44
|
+
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
## Quick Start (60 Seconds)
|
|
48
|
+
|
|
49
|
+
### 1. Install
|
|
50
|
+
|
|
51
|
+
```bash
|
|
52
|
+
pipx install kekkai-cli
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
### 2. Predict (Threat Model)
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
kekkai threatflow --repo . --model-mode local
|
|
59
|
+
# Generates THREATS.md with STRIDE analysis and Data Flow Diagram
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
### 3. Detect (Scan)
|
|
63
|
+
|
|
64
|
+
```bash
|
|
65
|
+
kekkai scan
|
|
66
|
+
# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
|
|
67
|
+
# Outputs unified kekkai-report.json
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
### 4. Triage (Review)
|
|
71
|
+
|
|
72
|
+
```bash
|
|
73
|
+
kekkai triage
|
|
74
|
+
# Interactive TUI to accept, reject, or ignore findings
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
### 5. Manage (DefectDojo)
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
kekkai dojo up --wait
|
|
81
|
+
kekkai upload
|
|
82
|
+
# Full vulnerability management platform + automated import
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
---
|
|
86
|
+
|
|
87
|
+
## Why Kekkai?
|
|
88
|
+
|
|
89
|
+
| Capability | Manual Approach | Kekkai |
|
|
90
|
+
|------------|-----------------|--------|
|
|
91
|
+
| **Tooling** | Install/update 5+ tools individually | One binary, auto-pulls scanner containers |
|
|
92
|
+
| **Output** | Parse 5 different JSON formats | Unified `kekkai-report.json` |
|
|
93
|
+
| **Threat Modeling** | Expensive consultants or whiteboarding | AI-generated `THREATS.md` locally |
|
|
94
|
+
| **DefectDojo** | 200-line docker-compose + debugging | `kekkai dojo up` (one command) |
|
|
95
|
+
| **Triage** | Read JSON files manually | Interactive terminal UI |
|
|
96
|
+
| **CI/CD** | Complex bash scripts | `kekkai scan --ci --fail-on high` |
|
|
97
|
+
| **PR Feedback** | Manual security review comments | Auto-comments on GitHub PRs |
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## Feature Deep Dives
|
|
102
|
+
|
|
103
|
+
### 🔮 ThreatFlow — AI-Powered Threat Modeling
|
|
104
|
+
|
|
105
|
+
Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
|
|
106
|
+
|
|
107
|
+
|
|
108
|
+
|
|
109
|
+
```bash
|
|
110
|
+
# Ollama (recommended - easy setup, privacy-preserving)
|
|
111
|
+
ollama pull mistral
|
|
112
|
+
kekkai threatflow --repo . --model-mode ollama --model-name mistral
|
|
113
|
+
|
|
114
|
+
# Local GGUF model (requires llama-cpp-python)
|
|
115
|
+
kekkai threatflow --repo . --model-mode local --model-path ./mistral-7b.gguf
|
|
116
|
+
|
|
117
|
+
# Remote API (faster, requires API key)
|
|
118
|
+
export KEKKAI_THREATFLOW_API_KEY="sk-..."
|
|
119
|
+
kekkai threatflow --repo . --model-mode openai
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
**Output:** `THREATS.md` containing:
|
|
123
|
+
- Attack surface analysis
|
|
124
|
+
- STRIDE threat classification
|
|
125
|
+
- Mermaid.js architecture diagram
|
|
126
|
+
- Recommended mitigations
|
|
127
|
+
|
|
128
|
+
[Full ThreatFlow Documentation →](docs/threatflow/README.md)
|
|
129
|
+
|
|
130
|
+
---
|
|
131
|
+
|
|
132
|
+
### 🔍 Unified Scanning
|
|
133
|
+
|
|
134
|
+
Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container with security hardening.
|
|
135
|
+
|
|
136
|
+
```bash
|
|
137
|
+
kekkai scan # Scan current directory
|
|
138
|
+
kekkai scan --repo /path/to/project # Scan specific path
|
|
139
|
+
kekkai scan --output results.json # Custom output path
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
**Scanners Included:**
|
|
143
|
+
| Scanner | Finds | Image |
|
|
144
|
+
|---------|-------|-------|
|
|
145
|
+
| Trivy | CVEs in dependencies | `aquasec/trivy:latest` |
|
|
146
|
+
| Semgrep | Code vulnerabilities | `semgrep/semgrep:latest` |
|
|
147
|
+
| Gitleaks | Hardcoded secrets | `zricethezav/gitleaks:latest` |
|
|
148
|
+
|
|
149
|
+
**Container Security:**
|
|
150
|
+
- Read-only filesystem
|
|
151
|
+
- No network access
|
|
152
|
+
- Memory limited (2GB)
|
|
153
|
+
- No privilege escalation
|
|
154
|
+
|
|
155
|
+
---
|
|
156
|
+
|
|
157
|
+
### ✅ Interactive Triage TUI
|
|
158
|
+
|
|
159
|
+
Stop reading JSON. Review security findings in your terminal.
|
|
160
|
+
|
|
161
|
+
```bash
|
|
162
|
+
kekkai triage
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
**Features:**
|
|
166
|
+
- Navigate findings with keyboard
|
|
167
|
+
- Mark as: Accept, Reject, False Positive, Ignore
|
|
168
|
+
- Filter by severity, scanner, or status
|
|
169
|
+
- Persist decisions in `.kekkai-ignore`
|
|
170
|
+
- Export triaged results
|
|
171
|
+
|
|
172
|
+
<!-- Screenshot placeholder:  -->
|
|
173
|
+
|
|
174
|
+
[Full Triage Documentation →](docs/triage/README.md)
|
|
175
|
+
|
|
176
|
+
---
|
|
177
|
+
|
|
178
|
+
### 🚦 CI/CD Policy Gate
|
|
179
|
+
|
|
180
|
+
Automate security enforcement in your pipelines.
|
|
181
|
+
|
|
182
|
+
<p align="center">
|
|
183
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-scan.png" alt="Kekkai Scanning" width="650"/>
|
|
184
|
+
</p>
|
|
185
|
+
|
|
186
|
+
```bash
|
|
187
|
+
# Fail on any critical or high findings
|
|
188
|
+
kekkai scan --ci --fail-on high
|
|
189
|
+
|
|
190
|
+
# Fail only on critical
|
|
191
|
+
kekkai scan --ci --fail-on critical
|
|
192
|
+
|
|
193
|
+
# Custom threshold: fail on 5+ medium findings
|
|
194
|
+
kekkai scan --ci --fail-on medium --max-findings 5
|
|
195
|
+
```
|
|
196
|
+
|
|
197
|
+
**Exit Codes:**
|
|
198
|
+
| Code | Meaning |
|
|
199
|
+
|------|---------|
|
|
200
|
+
| 0 | No findings above threshold |
|
|
201
|
+
| 1 | Findings exceed threshold |
|
|
202
|
+
| 2 | Scanner error |
|
|
203
|
+
|
|
204
|
+
**GitHub Actions Example:**
|
|
205
|
+
|
|
206
|
+
```yaml
|
|
207
|
+
- name: Security Scan
|
|
208
|
+
run: |
|
|
209
|
+
pipx install kekkai-cli
|
|
210
|
+
kekkai scan --ci --fail-on high
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
[Full CI Documentation →](docs/ci/ci-mode.md)
|
|
214
|
+
|
|
215
|
+
---
|
|
216
|
+
|
|
217
|
+
### 📊 DefectDojo Integration
|
|
218
|
+
|
|
219
|
+
Spin up a complete vulnerability management platform locally.
|
|
220
|
+
|
|
221
|
+
<p align="center">
|
|
222
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo.png" alt="Kekkai Dojo" width="650"/>
|
|
223
|
+
</p>
|
|
224
|
+
|
|
225
|
+
```bash
|
|
226
|
+
kekkai dojo up --wait # Start DefectDojo (Nginx, Postgres, Redis, Celery)
|
|
227
|
+
kekkai dojo status # Check service health
|
|
228
|
+
kekkai upload # Import scan results
|
|
229
|
+
kekkai dojo down # Stop and clean up (removes volumes)
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
**What You Get:**
|
|
233
|
+
- DefectDojo web UI at `http://localhost:8080`
|
|
234
|
+
- Automatic credential generation
|
|
235
|
+
- Pre-configured for Kekkai imports
|
|
236
|
+
- Clean teardown (no orphaned volumes)
|
|
237
|
+
|
|
238
|
+
<p align="center">
|
|
239
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/Active-Engagements-kekkai-dojo.png" alt="Kekkai Dojo" width="850"/>
|
|
240
|
+
</p>
|
|
241
|
+
|
|
242
|
+
<p align="center">
|
|
243
|
+
<img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo-dashboard-findings.png" alt="Kekkai Dojo" width="850"/>
|
|
244
|
+
</p
|
|
245
|
+
|
|
246
|
+
[Full Dojo Documentation →](docs/dojo/dojo.md)
|
|
247
|
+
|
|
248
|
+
---
|
|
249
|
+
|
|
250
|
+
### 🔔 GitHub PR Comments
|
|
251
|
+
|
|
252
|
+
Get security feedback directly in pull requests.
|
|
253
|
+
|
|
254
|
+
```bash
|
|
255
|
+
export GITHUB_TOKEN="ghp_..."
|
|
256
|
+
kekkai scan --github-comment
|
|
257
|
+
```
|
|
258
|
+
|
|
259
|
+
Kekkai will:
|
|
260
|
+
1. Run all scanners
|
|
261
|
+
2. Post findings as PR review comments
|
|
262
|
+
3. Annotate specific lines with inline comments
|
|
263
|
+
|
|
264
|
+
---
|
|
265
|
+
|
|
266
|
+
## Installation
|
|
267
|
+
|
|
268
|
+
### pipx (Recommended)
|
|
269
|
+
|
|
270
|
+
Isolated environment, no conflicts with system Python.
|
|
271
|
+
|
|
272
|
+
```bash
|
|
273
|
+
pipx install kekkai-cli
|
|
274
|
+
```
|
|
275
|
+
|
|
276
|
+
### Homebrew (macOS/Linux)
|
|
277
|
+
|
|
278
|
+
```bash
|
|
279
|
+
brew install kademoslabs/tap/kekkai
|
|
280
|
+
```
|
|
281
|
+
|
|
282
|
+
### Scoop (Windows)
|
|
283
|
+
|
|
284
|
+
```bash
|
|
285
|
+
scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
|
|
286
|
+
scoop install kekkai
|
|
287
|
+
```
|
|
288
|
+
|
|
289
|
+
### Docker (No Python Required)
|
|
290
|
+
|
|
291
|
+
```bash
|
|
292
|
+
docker pull kademoslabs/kekkai:latest
|
|
293
|
+
alias kekkai='docker run --rm -v "$(pwd):/repo" kademoslabs/kekkai:latest'
|
|
294
|
+
```
|
|
295
|
+
|
|
296
|
+
### pip (Traditional)
|
|
297
|
+
|
|
298
|
+
```bash
|
|
299
|
+
pip install kekkai-cli
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
---
|
|
303
|
+
|
|
304
|
+
## Enterprise Features
|
|
305
|
+
|
|
306
|
+
For organizations that need advanced capabilities, **Kekkai Enterprise** provides:
|
|
307
|
+
|
|
308
|
+
| Feature | Description |
|
|
309
|
+
|---------|-------------|
|
|
310
|
+
| **Multi-Tenant Portal** | Web dashboard for managing multiple teams/projects ([Learn More](docs/portal/README.md)) |
|
|
311
|
+
| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace |
|
|
312
|
+
| **Role-Based Access Control** | Fine-grained permissions per team/project |
|
|
313
|
+
| **Advanced Operations** | Automated backup/restore, monitoring, zero-downtime upgrades ([Learn More](docs/ops/README.md)) |
|
|
314
|
+
| **Compliance Reporting** | Map findings to OWASP, PCI-DSS, HIPAA, SOC 2 |
|
|
315
|
+
| **Audit Logging** | Cryptographically signed compliance trails |
|
|
316
|
+
|
|
317
|
+
**Architecture:**
|
|
318
|
+
- Open-source CLI remains fully functional standalone
|
|
319
|
+
- Enterprise features available in separate private repository for licensed customers
|
|
320
|
+
- Optional integration: CLI can sync results to enterprise portal
|
|
321
|
+
- Self-hosted or Kademos-managed deployment options
|
|
322
|
+
|
|
323
|
+
[Contact us for enterprise access →](mailto:sales@kademos.org)
|
|
324
|
+
|
|
325
|
+
---
|
|
326
|
+
|
|
327
|
+
## Security
|
|
328
|
+
|
|
329
|
+
Kekkai is designed with security as a core principle:
|
|
330
|
+
|
|
331
|
+
- **Container Isolation**: Scanners run in hardened Docker containers
|
|
332
|
+
- **No Network Access**: Containers cannot reach external networks
|
|
333
|
+
- **Local-First AI**: ThreatFlow can run entirely on your machine
|
|
334
|
+
- **SLSA Level 3**: Release artifacts include provenance attestations
|
|
335
|
+
- **Signed Images**: Docker images are Cosign-signed
|
|
336
|
+
|
|
337
|
+
For vulnerability reports, see [SECURITY.md](SECURITY.md).
|
|
338
|
+
|
|
339
|
+
---
|
|
340
|
+
|
|
341
|
+
## Documentation
|
|
342
|
+
|
|
343
|
+
| Guide | Description |
|
|
344
|
+
|-------|-------------|
|
|
345
|
+
| [Installation](docs/README.md#installation-methods) | All installation methods |
|
|
346
|
+
| [ThreatFlow](docs/threatflow/README.md) | AI threat modeling setup |
|
|
347
|
+
| [Dojo Quick Start](docs/dojo/dojo-quickstart.md) | DefectDojo in 5 minutes |
|
|
348
|
+
| [CI Mode](docs/ci/ci-mode.md) | Pipeline integration |
|
|
349
|
+
| [Portal](docs/portal/README.md) | Enterprise features overview |
|
|
350
|
+
| [Portal SSO](docs/portal/saml-setup.md) | SAML 2.0 SSO configuration |
|
|
351
|
+
| [Portal RBAC](docs/portal/rbac.md) | Role-based access control |
|
|
352
|
+
| [Portal Deployment](docs/portal/deployment.md) | Self-hosted deployment |
|
|
353
|
+
| [Security](docs/security/slsa-provenance.md) | SLSA provenance verification |
|
|
354
|
+
|
|
355
|
+
---
|
|
356
|
+
|
|
357
|
+
## CI/CD Status
|
|
358
|
+
|
|
359
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml)
|
|
360
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml)
|
|
361
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml)
|
|
362
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml)
|
|
363
|
+
[](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml)
|
|
364
|
+
|
|
365
|
+
---
|
|
366
|
+
|
|
367
|
+
## Contributing
|
|
368
|
+
|
|
369
|
+
We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
|
|
370
|
+
|
|
371
|
+
---
|
|
372
|
+
|
|
373
|
+
## License
|
|
374
|
+
|
|
375
|
+
Apache-2.0 — See [LICENSE](LICENSE) for details.
|
|
376
|
+
|
|
377
|
+
---
|
|
378
|
+
|
|
379
|
+
<p align="center"><i>Built by <a href="https://kademos.org">Kademos Labs</a></i></p>
|