PyPI - kekkai-cli - Versions diffs - 1.1.0__py3-none-any.whl → 2.0.0__py3-none-any.whl - Mend

kekkai-cli 1.1.0py3-none-any.whl → 2.0.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

kekkai/cli.py +238 -36
kekkai/dojo_import.py +9 -1
kekkai/output.py +2 -3
kekkai/report/unified.py +226 -0
kekkai/triage/__init__.py +54 -1
kekkai/triage/fix_screen.py +232 -0
kekkai/triage/loader.py +196 -0
kekkai/triage/screens.py +1 -0
kekkai_cli-2.0.0.dist-info/METADATA +317 -0
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/RECORD +13 -28
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/entry_points.txt +0 -1
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/top_level.txt +0 -1
kekkai_cli-1.1.0.dist-info/METADATA +0 -359
portal/__init__.py +0 -19
portal/api.py +0 -155
portal/auth.py +0 -103
portal/enterprise/__init__.py +0 -45
portal/enterprise/audit.py +0 -435
portal/enterprise/licensing.py +0 -408
portal/enterprise/rbac.py +0 -276
portal/enterprise/saml.py +0 -595
portal/ops/__init__.py +0 -53
portal/ops/backup.py +0 -553
portal/ops/log_shipper.py +0 -469
portal/ops/monitoring.py +0 -517
portal/ops/restore.py +0 -469
portal/ops/secrets.py +0 -408
portal/ops/upgrade.py +0 -591
portal/tenants.py +0 -340
portal/uploads.py +0 -259
portal/web.py +0 -393
{kekkai_cli-1.1.0.dist-info → kekkai_cli-2.0.0.dist-info}/WHEEL +0 -0

kekkai_cli-1.1.0.dist-info/METADATA DELETED Viewed

@@ -1,359 +0,0 @@
-Metadata-Version: 2.4
-Name: kekkai-cli
-Version: 1.1.0
-Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
-Requires-Python: >=3.12
-Description-Content-Type: text/markdown
-Requires-Dist: rich>=13.0.0
-Requires-Dist: jsonschema>=4.20.0
-Requires-Dist: textual>=0.50.0
-Requires-Dist: httpx>=0.24.0
-<p align="center">
-  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
-</p>
-<p align="center"><strong>Security orchestration at developer speed.</strong></p>
-<p align="center"><i>One tool for the entire AppSec lifecycle: Predict, Detect, Triage, Manage.</i></p>
-<p align="center">
-  <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
-  <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
-  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
-</p>
----
-# Kekkai
-Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-demo.gif)
----
-## The Five Pillars
-| Pillar | Feature | Command | Description |
-|--------|---------|---------|-------------|
-| 🔮 **Predict** | AI Threat Modeling | `kekkai threatflow` | Generate STRIDE threat models before writing code |
-| 🔍 **Detect** | Unified Scanning | `kekkai scan` | Run Trivy, Semgrep, Gitleaks in isolated containers |
-| ✅ **Triage** | Interactive Review | `kekkai triage` | Review findings in a terminal UI, mark false positives |
-| 🚦 **Gate** | CI/CD Policy | `kekkai scan --ci` | Break builds on severity thresholds |
-| 📊 **Manage** | DefectDojo | `kekkai dojo up` | Spin up vulnerability management in 60 seconds |
----
-## Quick Start (60 Seconds)
-### 1. Install
-```bash
-pipx install kekkai-cli
-```
-### 2. Predict (Threat Model)
-```bash
-kekkai threatflow --repo . --model-mode local
-# Generates THREATS.md with STRIDE analysis and Data Flow Diagram
-```
-### 3. Detect (Scan)
-```bash
-kekkai scan
-# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
-# Outputs unified kekkai-report.json
-```
-### 4. Triage (Review)
-```bash
-kekkai triage
-# Interactive TUI to accept, reject, or ignore findings
-```
-### 5. Manage (DefectDojo)
-```bash
-kekkai dojo up --wait
-kekkai upload
-# Full vulnerability management platform + automated import
-```
----
-## Why Kekkai?
-| Capability | Manual Approach | Kekkai |
-|------------|-----------------|--------|
-| **Tooling** | Install/update 5+ tools individually | One binary, auto-pulls scanner containers |
-| **Output** | Parse 5 different JSON formats | Unified `kekkai-report.json` |
-| **Threat Modeling** | Expensive consultants or whiteboarding | AI-generated `THREATS.md` locally |
-| **DefectDojo** | 200-line docker-compose + debugging | `kekkai dojo up` (one command) |
-| **Triage** | Read JSON files manually | Interactive terminal UI |
-| **CI/CD** | Complex bash scripts | `kekkai scan --ci --fail-on high` |
-| **PR Feedback** | Manual security review comments | Auto-comments on GitHub PRs |
----
-## Feature Deep Dives
-### 🔮 ThreatFlow — AI-Powered Threat Modeling
-Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
-```bash
-# Ollama (recommended - easy setup, privacy-preserving)
-ollama pull mistral
-kekkai threatflow --repo . --model-mode ollama --model-name mistral
-# Local GGUF model (requires llama-cpp-python)
-kekkai threatflow --repo . --model-mode local --model-path ./mistral-7b.gguf
-# Remote API (faster, requires API key)
-export KEKKAI_THREATFLOW_API_KEY="sk-..."
-kekkai threatflow --repo . --model-mode openai
-```
-**Output:** `THREATS.md` containing:
-- Attack surface analysis
-- STRIDE threat classification
-- Mermaid.js architecture diagram
-- Recommended mitigations
-[Full ThreatFlow Documentation →](docs/threatflow/README.md)
----
-### 🔍 Unified Scanning
-Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container with security hardening.
-```bash
-kekkai scan                          # Scan current directory
-kekkai scan --repo /path/to/project  # Scan specific path
-kekkai scan --output results.json    # Custom output path
-```
-**Scanners Included:**
-| Scanner | Finds | Image |
-|---------|-------|-------|
-| Trivy | CVEs in dependencies | `aquasec/trivy:latest` |
-| Semgrep | Code vulnerabilities | `semgrep/semgrep:latest` |
-| Gitleaks | Hardcoded secrets | `zricethezav/gitleaks:latest` |
-**Container Security:**
-- Read-only filesystem
-- No network access
-- Memory limited (2GB)
-- No privilege escalation
----
-### ✅ Interactive Triage TUI
-Stop reading JSON. Review security findings in your terminal.
-```bash
-kekkai triage
-```
-**Features:**
-- Navigate findings with keyboard
-- Mark as: Accept, Reject, False Positive, Ignore
-- Filter by severity, scanner, or status
-- Persist decisions in `.kekkai-ignore`
-- Export triaged results
-<!-- Screenshot placeholder: ![Triage TUI](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/triage-tui.png) -->
-[Full Triage Documentation →](docs/triage/README.md)
----
-### 🚦 CI/CD Policy Gate
-Automate security enforcement in your pipelines.
-```bash
-# Fail on any critical or high findings
-kekkai scan --ci --fail-on high
-# Fail only on critical
-kekkai scan --ci --fail-on critical
-# Custom threshold: fail on 5+ medium findings
-kekkai scan --ci --fail-on medium --max-findings 5
-```
-**Exit Codes:**
-| Code | Meaning |
-|------|---------|
-| 0 | No findings above threshold |
-| 1 | Findings exceed threshold |
-| 2 | Scanner error |
-**GitHub Actions Example:**
-```yaml
-- name: Security Scan
-  run: |
-    pipx install kekkai-cli
-    kekkai scan --ci --fail-on high
-```
-[Full CI Documentation →](docs/ci/ci-mode.md)
----
-### 📊 DefectDojo Integration
-Spin up a complete vulnerability management platform locally.
-```bash
-kekkai dojo up --wait    # Start DefectDojo (Nginx, Postgres, Redis, Celery)
-kekkai dojo status       # Check service health
-kekkai upload            # Import scan results
-kekkai dojo down         # Stop and clean up (removes volumes)
-```
-**What You Get:**
-- DefectDojo web UI at `http://localhost:8080`
-- Automatic credential generation
-- Pre-configured for Kekkai imports
-- Clean teardown (no orphaned volumes)
-[Full Dojo Documentation →](docs/dojo/dojo.md)
----
-### 🔔 GitHub PR Comments
-Get security feedback directly in pull requests.
-```bash
-export GITHUB_TOKEN="ghp_..."
-kekkai scan --github-comment
-```
-Kekkai will:
-1. Run all scanners
-2. Post findings as PR review comments
-3. Annotate specific lines with inline comments
----
-## Installation
-### pipx (Recommended)
-Isolated environment, no conflicts with system Python.
-```bash
-pipx install kekkai-cli
-```
-### Homebrew (macOS/Linux)
-```bash
-brew install kademoslabs/tap/kekkai
-```
-### Scoop (Windows)
-```bash
-scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
-scoop install kekkai
-```
-### Docker (No Python Required)
-```bash
-docker pull kademoslabs/kekkai:latest
-alias kekkai='docker run --rm -v "$(pwd):/repo" kademoslabs/kekkai:latest'
-```
-### pip (Traditional)
-```bash
-pip install kekkai-cli
-```
----
-## Enterprise Features — Kekkai Portal
-For teams that need centralized management, **Kekkai Portal** provides:
-| Feature | Description |
-|---------|-------------|
-| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace ([Setup Guide](docs/portal/saml-setup.md)) |
-| **Role-Based Access Control** | Fine-grained permissions per team/project ([RBAC Guide](docs/portal/rbac.md)) |
-| **Multi-Tenant Architecture** | Isolated environments per organization ([Architecture](docs/portal/multi-tenant.md)) |
-| **Aggregated Dashboards** | Centralized view of all CLI scan results |
-| **Audit Logging** | Cryptographically signed compliance trails |
-**Upgrade Path:**
-- CLI users can sync results to Portal: `kekkai upload` ([Sync Guide](docs/portal/cli-sync.md))
-- Portal provides dashboards for security managers
-- Self-hosted or Kademos-managed options ([Deployment Guide](docs/portal/deployment.md))
-[Contact us for Portal access →](mailto:sales@kademos.org)
----
-## Security
-Kekkai is designed with security as a core principle:
-- **Container Isolation**: Scanners run in hardened Docker containers
-- **No Network Access**: Containers cannot reach external networks
-- **Local-First AI**: ThreatFlow can run entirely on your machine
-- **SLSA Level 3**: Release artifacts include provenance attestations
-- **Signed Images**: Docker images are Cosign-signed
-For vulnerability reports, see [SECURITY.md](SECURITY.md).
----
-## Documentation
-| Guide | Description |
-|-------|-------------|
-| [Installation](docs/README.md#installation-methods) | All installation methods |
-| [ThreatFlow](docs/threatflow/README.md) | AI threat modeling setup |
-| [Dojo Quick Start](docs/dojo/dojo-quickstart.md) | DefectDojo in 5 minutes |
-| [CI Mode](docs/ci/ci-mode.md) | Pipeline integration |
-| [Portal](docs/portal/README.md) | Enterprise features overview |
-| [Portal SSO](docs/portal/saml-setup.md) | SAML 2.0 SSO configuration |
-| [Portal RBAC](docs/portal/rbac.md) | Role-based access control |
-| [Portal Deployment](docs/portal/deployment.md) | Self-hosted deployment |
-| [Security](docs/security/slsa-provenance.md) | SLSA provenance verification |
----
-## CI/CD Status
-[![Kekkai Security Scan](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/kekkai-pr-scan.yml)
-[![Docker Image Publish](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/docker-publish.yml)
-[![Docker Security Scan](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/docker-security-scan.yml)
-[![Cross-Platform Tests](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/test-cross-platform.yml)
-[![Release with SLSA Provenance](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml/badge.svg)](https://github.com/kademoslabs/kekkai/actions/workflows/release-slsa.yml)
----
-## Contributing
-We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
----
-## License
-Apache-2.0 — See [LICENSE](LICENSE) for details.
----
-<p align="center"><i>Built by <a href="https://kademos.org">Kademos Labs</a></i></p>

portal/__init__.py DELETED Viewed

@@ -1,19 +0,0 @@
-"""Kekkai Hosted Portal - DefectDojo-backed multi-tenant security dashboard."""
-from __future__ import annotations
-__all__ = [
-    "AuthMethod",
-    "AuthResult",
-    "SAMLTenantConfig",
-    "Tenant",
-    "TenantStore",
-    "UploadResult",
-    "authenticate_request",
-    "process_upload",
-    "validate_upload",
-]
-from .auth import AuthResult, authenticate_request
-from .tenants import AuthMethod, SAMLTenantConfig, Tenant, TenantStore
-from .uploads import UploadResult, process_upload, validate_upload

portal/api.py DELETED Viewed

@@ -1,155 +0,0 @@
-"""Portal API endpoints for programmatic access.
-Provides REST API endpoints that expose the same data visible in the UI.
-All endpoints require authentication and enforce tenant isolation.
-"""
-from __future__ import annotations
-import json
-import logging
-import os
-from dataclasses import dataclass
-from pathlib import Path
-from typing import Any
-from .tenants import Tenant
-logger = logging.getLogger(__name__)
-@dataclass(frozen=True)
-class UploadInfo:
-    """Information about an upload."""
-    upload_id: str
-    filename: str
-    timestamp: str
-    file_hash: str
-    size_bytes: int
-@dataclass(frozen=True)
-class TenantStats:
-    """Statistics for a tenant."""
-    total_uploads: int
-    total_size_bytes: int
-    last_upload_time: str | None
-def get_tenant_info(tenant: Tenant) -> dict[str, Any]:
-    """Get tenant information for API response.
-    Args:
-        tenant: The authenticated tenant
-    Returns:
-        Dictionary containing tenant metadata
-    """
-    return {
-        "id": tenant.id,
-        "name": tenant.name,
-        "dojo_product_id": tenant.dojo_product_id,
-        "dojo_engagement_id": tenant.dojo_engagement_id,
-        "enabled": tenant.enabled,
-        "max_upload_size_mb": tenant.max_upload_size_mb,
-        "auth_method": tenant.auth_method.value,
-        "default_role": tenant.default_role,
-    }
-def list_uploads(tenant: Tenant, limit: int = 50) -> list[dict[str, Any]]:
-    """List recent uploads for a tenant.
-    Args:
-        tenant: The authenticated tenant
-        limit: Maximum number of uploads to return
-    Returns:
-        List of upload metadata dictionaries
-    """
-    upload_dir = Path(os.environ.get("PORTAL_UPLOAD_DIR", "/var/lib/kekkai-portal/uploads"))
-    tenant_dir = upload_dir / tenant.id
-    if not tenant_dir.exists():
-        return []
-    uploads: list[dict[str, Any]] = []
-    # Get all upload files for this tenant
-    try:
-        upload_files = sorted(
-            tenant_dir.glob("*.json"),
-            key=lambda p: p.stat().st_mtime,
-            reverse=True,
-        )[:limit]
-        for upload_file in upload_files:
-            stat = upload_file.stat()
-            uploads.append(
-                {
-                    "upload_id": upload_file.stem,
-                    "filename": upload_file.name,
-                    "timestamp": str(int(stat.st_mtime)),
-                    "size_bytes": stat.st_size,
-                }
-            )
-    except (OSError, PermissionError) as e:
-        logger.warning("Failed to list uploads for tenant %s: %s", tenant.id, e)
-    return uploads
-def get_tenant_stats(tenant: Tenant) -> dict[str, Any]:
-    """Get statistics for a tenant.
-    Args:
-        tenant: The authenticated tenant
-    Returns:
-        Dictionary containing tenant statistics
-    """
-    upload_dir = Path(os.environ.get("PORTAL_UPLOAD_DIR", "/var/lib/kekkai-portal/uploads"))
-    tenant_dir = upload_dir / tenant.id
-    if not tenant_dir.exists():
-        return {
-            "total_uploads": 0,
-            "total_size_bytes": 0,
-            "last_upload_time": None,
-        }
-    total_uploads = 0
-    total_size_bytes = 0
-    last_upload_time: int | None = None
-    try:
-        for upload_file in tenant_dir.glob("*.json"):
-            stat = upload_file.stat()
-            total_uploads += 1
-            total_size_bytes += stat.st_size
-            if last_upload_time is None or stat.st_mtime > last_upload_time:
-                last_upload_time = int(stat.st_mtime)
-    except (OSError, PermissionError) as e:
-        logger.warning("Failed to get stats for tenant %s: %s", tenant.id, e)
-    return {
-        "total_uploads": total_uploads,
-        "total_size_bytes": total_size_bytes,
-        "last_upload_time": str(last_upload_time) if last_upload_time else None,
-    }
-def serialize_api_response(data: dict[str, Any]) -> bytes:
-    """Serialize API response to JSON bytes.
-    Args:
-        data: Response data dictionary
-    Returns:
-        JSON-encoded bytes
-    """
-    return json.dumps(data, indent=2).encode("utf-8")

portal/auth.py DELETED Viewed

@@ -1,103 +0,0 @@
-"""Authentication middleware for portal API.
-Security controls:
-- ASVS V16.3.2: Log failed authorization attempts
-- Constant-time API key comparison to prevent timing attacks
-"""
-from __future__ import annotations
-import logging
-import re
-from dataclasses import dataclass
-from typing import TYPE_CHECKING
-from kekkai_core import redact
-from .tenants import Tenant, TenantStore
-if TYPE_CHECKING:
-    from collections.abc import Mapping
-logger = logging.getLogger(__name__)
-BEARER_PATTERN = re.compile(r"^Bearer\s+(\S+)$", re.IGNORECASE)
-@dataclass(frozen=True)
-class AuthResult:
-    """Result of authentication attempt."""
-    authenticated: bool
-    tenant: Tenant | None = None
-    error: str | None = None
-def authenticate_request(
-    headers: Mapping[str, str],
-    tenant_store: TenantStore,
-    client_ip: str = "unknown",
-) -> AuthResult:
-    """Authenticate a request using Bearer token.
-    Args:
-        headers: Request headers (case-insensitive lookup)
-        tenant_store: Tenant storage for API key verification
-        client_ip: Client IP for logging failed attempts
-    Returns:
-        AuthResult with tenant if authenticated, error otherwise
-    """
-    auth_header = _get_header(headers, "Authorization")
-    if not auth_header:
-        _log_auth_failure(client_ip, "missing_header")
-        return AuthResult(authenticated=False, error="Missing Authorization header")
-    match = BEARER_PATTERN.match(auth_header)
-    if not match:
-        _log_auth_failure(client_ip, "invalid_format")
-        return AuthResult(authenticated=False, error="Invalid Authorization format")
-    api_key = match.group(1)
-    if not api_key:
-        _log_auth_failure(client_ip, "empty_token")
-        return AuthResult(authenticated=False, error="Empty API token")
-    tenant = tenant_store.get_by_api_key(api_key)
-    if not tenant:
-        _log_auth_failure(client_ip, "invalid_token", api_key_prefix=api_key[:8])
-        return AuthResult(authenticated=False, error="Invalid API key")
-    if not tenant.enabled:
-        _log_auth_failure(client_ip, "tenant_disabled", tenant_id=tenant.id)
-        return AuthResult(authenticated=False, error="Tenant is disabled")
-    logger.info(
-        "auth.success client_ip=%s tenant_id=%s",
-        redact(client_ip),
-        tenant.id,
-    )
-    return AuthResult(authenticated=True, tenant=tenant)
-def _get_header(headers: Mapping[str, str], name: str) -> str | None:
-    """Get header value with case-insensitive lookup."""
-    for key, value in headers.items():
-        if key.lower() == name.lower():
-            return value
-    return None
-def _log_auth_failure(
-    client_ip: str,
-    reason: str,
-    tenant_id: str | None = None,
-    api_key_prefix: str | None = None,
-) -> None:
-    """Log authentication failure for security monitoring (ASVS V16.3.2)."""
-    parts = [f"auth.failure reason={reason}", f"client_ip={redact(client_ip)}"]
-    if tenant_id:
-        parts.append(f"tenant_id={tenant_id}")
-    if api_key_prefix:
-        parts.append(f"api_key_prefix={api_key_prefix}...")
-    logger.warning(" ".join(parts))

portal/enterprise/__init__.py DELETED Viewed

@@ -1,45 +0,0 @@
-"""Enterprise features for Kekkai Portal.
-Provides:
-- RBAC (Role-Based Access Control)
-- SAML 2.0 SSO integration
-- Audit logging
-- Enterprise license gating (ECDSA asymmetric signing)
-"""
-from __future__ import annotations
-from .audit import AuditEvent, AuditEventType, AuditLog
-from .licensing import (
-    EnterpriseLicense,
-    LicenseCheckResult,
-    LicenseSigner,
-    LicenseStatus,
-    LicenseValidator,
-    generate_keypair,
-)
-from .rbac import AuthorizationResult, Permission, RBACManager, Role
-from .saml import SAMLAssertion, SAMLConfig, SAMLError, SAMLProcessor
-ENTERPRISE_AVAILABLE = True
-__all__ = [
-    "ENTERPRISE_AVAILABLE",
-    "AuditEvent",
-    "AuditEventType",
-    "AuditLog",
-    "AuthorizationResult",
-    "EnterpriseLicense",
-    "LicenseCheckResult",
-    "LicenseSigner",
-    "LicenseStatus",
-    "LicenseValidator",
-    "Permission",
-    "RBACManager",
-    "Role",
-    "SAMLAssertion",
-    "SAMLConfig",
-    "SAMLError",
-    "SAMLProcessor",
-    "generate_keypair",
-]

kekkai-cli 1.1.0__py3-none-any.whl → 2.0.0__py3-none-any.whl

kekkai-cli 1.1.0py3-none-any.whl → 2.0.0py3-none-any.whl