PyPI - kekkai-cli - Versions diffs - 1.1.0__tar.gz → 1.1.1__tar.gz - Mend

kekkai-cli 1.1.0tar.gz → 1.1.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (176) hide show

{kekkai_cli-1.1.0 → kekkai_cli-1.1.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 1.1.0
+Version: 1.1.1
 Summary: Kekkai monorepo (local-first AppSec orchestration + compliance checker)
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown
@@ -28,7 +28,7 @@ Requires-Dist: httpx>=0.24.0
 Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-demo.gif)
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-start.gif)
 ---
@@ -104,6 +104,8 @@ kekkai upload
 Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-threatflow.gif)
 ```bash
 # Ollama (recommended - easy setup, privacy-preserving)
 ollama pull mistral
@@ -177,6 +179,10 @@ kekkai triage
 Automate security enforcement in your pipelines.
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-scan.png" alt="Kekkai Scanning" width="650"/>
+</p>
 ```bash
 # Fail on any critical or high findings
 kekkai scan --ci --fail-on high
@@ -212,6 +218,10 @@ kekkai scan --ci --fail-on medium --max-findings 5
 Spin up a complete vulnerability management platform locally.
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo.png" alt="Kekkai Dojo" width="650"/>
+</p>
 ```bash
 kekkai dojo up --wait    # Start DefectDojo (Nginx, Postgres, Redis, Celery)
 kekkai dojo status       # Check service health
@@ -225,6 +235,14 @@ kekkai dojo down         # Stop and clean up (removes volumes)
 - Pre-configured for Kekkai imports
 - Clean teardown (no orphaned volumes)
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/Active-Engagements-kekkai-dojo.png" alt="Kekkai Dojo" width="850"/>
+</p>
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo-dashboard-findings.png" alt="Kekkai Dojo" width="850"/>
+</p
 [Full Dojo Documentation →](docs/dojo/dojo.md)
 ---
@@ -283,24 +301,26 @@ pip install kekkai-cli
 ---
-## Enterprise Features — Kekkai Portal
+## Enterprise Features
-For teams that need centralized management, **Kekkai Portal** provides:
+For organizations that need advanced capabilities, **Kekkai Enterprise** provides:
 | Feature | Description |
 |---------|-------------|
-| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace ([Setup Guide](docs/portal/saml-setup.md)) |
-| **Role-Based Access Control** | Fine-grained permissions per team/project ([RBAC Guide](docs/portal/rbac.md)) |
-| **Multi-Tenant Architecture** | Isolated environments per organization ([Architecture](docs/portal/multi-tenant.md)) |
-| **Aggregated Dashboards** | Centralized view of all CLI scan results |
+| **Multi-Tenant Portal** | Web dashboard for managing multiple teams/projects ([Learn More](docs/portal/README.md)) |
+| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace |
+| **Role-Based Access Control** | Fine-grained permissions per team/project |
+| **Advanced Operations** | Automated backup/restore, monitoring, zero-downtime upgrades ([Learn More](docs/ops/README.md)) |
+| **Compliance Reporting** | Map findings to OWASP, PCI-DSS, HIPAA, SOC 2 |
 | **Audit Logging** | Cryptographically signed compliance trails |
-**Upgrade Path:**
-- CLI users can sync results to Portal: `kekkai upload` ([Sync Guide](docs/portal/cli-sync.md))
-- Portal provides dashboards for security managers
-- Self-hosted or Kademos-managed options ([Deployment Guide](docs/portal/deployment.md))
+**Architecture:**
+- Open-source CLI remains fully functional standalone
+- Enterprise features available in separate private repository for licensed customers
+- Optional integration: CLI can sync results to enterprise portal
+- Self-hosted or Kademos-managed deployment options
-[Contact us for Portal access →](mailto:sales@kademos.org)
+[Contact us for enterprise access →](mailto:sales@kademos.org)
 ---

{kekkai_cli-1.1.0 → kekkai_cli-1.1.1}/README.md RENAMED Viewed

@@ -17,7 +17,7 @@
 Stop juggling security tools. **Kekkai orchestrates your entire AppSec lifecycle** — from AI-powered threat modeling to vulnerability management — in a single CLI.
-![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-demo.gif)
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-start.gif)
 ---
@@ -93,6 +93,8 @@ kekkai upload
 Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.
+![Hero GIF](https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-threatflow.gif)
 ```bash
 # Ollama (recommended - easy setup, privacy-preserving)
 ollama pull mistral
@@ -166,6 +168,10 @@ kekkai triage
 Automate security enforcement in your pipelines.
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-scan.png" alt="Kekkai Scanning" width="650"/>
+</p>
 ```bash
 # Fail on any critical or high findings
 kekkai scan --ci --fail-on high
@@ -201,6 +207,10 @@ kekkai scan --ci --fail-on medium --max-findings 5
 Spin up a complete vulnerability management platform locally.
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo.png" alt="Kekkai Dojo" width="650"/>
+</p>
 ```bash
 kekkai dojo up --wait    # Start DefectDojo (Nginx, Postgres, Redis, Celery)
 kekkai dojo status       # Check service health
@@ -214,6 +224,14 @@ kekkai dojo down         # Stop and clean up (removes volumes)
 - Pre-configured for Kekkai imports
 - Clean teardown (no orphaned volumes)
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/Active-Engagements-kekkai-dojo.png" alt="Kekkai Dojo" width="850"/>
+</p>
+<p align="center">
+  <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/screenshots/kekkai-dojo-dashboard-findings.png" alt="Kekkai Dojo" width="850"/>
+</p
 [Full Dojo Documentation →](docs/dojo/dojo.md)
 ---
@@ -272,24 +290,26 @@ pip install kekkai-cli
 ---
-## Enterprise Features — Kekkai Portal
+## Enterprise Features
-For teams that need centralized management, **Kekkai Portal** provides:
+For organizations that need advanced capabilities, **Kekkai Enterprise** provides:
 | Feature | Description |
 |---------|-------------|
-| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace ([Setup Guide](docs/portal/saml-setup.md)) |
-| **Role-Based Access Control** | Fine-grained permissions per team/project ([RBAC Guide](docs/portal/rbac.md)) |
-| **Multi-Tenant Architecture** | Isolated environments per organization ([Architecture](docs/portal/multi-tenant.md)) |
-| **Aggregated Dashboards** | Centralized view of all CLI scan results |
+| **Multi-Tenant Portal** | Web dashboard for managing multiple teams/projects ([Learn More](docs/portal/README.md)) |
+| **SAML 2.0 SSO** | Integrate with Okta, Azure AD, Google Workspace |
+| **Role-Based Access Control** | Fine-grained permissions per team/project |
+| **Advanced Operations** | Automated backup/restore, monitoring, zero-downtime upgrades ([Learn More](docs/ops/README.md)) |
+| **Compliance Reporting** | Map findings to OWASP, PCI-DSS, HIPAA, SOC 2 |
 | **Audit Logging** | Cryptographically signed compliance trails |
-**Upgrade Path:**
-- CLI users can sync results to Portal: `kekkai upload` ([Sync Guide](docs/portal/cli-sync.md))
-- Portal provides dashboards for security managers
-- Self-hosted or Kademos-managed options ([Deployment Guide](docs/portal/deployment.md))
+**Architecture:**
+- Open-source CLI remains fully functional standalone
+- Enterprise features available in separate private repository for licensed customers
+- Optional integration: CLI can sync results to enterprise portal
+- Self-hosted or Kademos-managed deployment options
-[Contact us for Portal access →](mailto:sales@kademos.org)
+[Contact us for enterprise access →](mailto:sales@kademos.org)
 ---

{kekkai_cli-1.1.0 → kekkai_cli-1.1.1}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "kekkai-cli"
-version = "1.1.0"
+version = "1.1.1"
 description = "Kekkai monorepo (local-first AppSec orchestration + compliance checker)"
 readme = "README.md"
 requires-python = ">=3.12"
@@ -13,7 +13,6 @@ dependencies = [
 [project.scripts]
 kekkai = "kekkai.cli:main"
-kekkai-portal = "portal.web:main"
 [tool.ruff]
 target-version = "py312"
@@ -56,7 +55,7 @@ source = ["src"]
 [tool.coverage.report]
 show_missing = true
 skip_covered = false
-fail_under = 69
+fail_under = 68
 exclude_lines = [
     "pragma: no cover",
     "if TYPE_CHECKING:",

{kekkai_cli-1.1.0 → kekkai_cli-1.1.1}/src/kekkai/cli.py RENAMED Viewed

@@ -604,6 +604,36 @@ def _command_scan(
     )
     manifest.write_manifest(run_dir / "run.json", run_manifest)
+    # Generate unified report (aggregates all scanner findings)
+    if scan_results:
+        from .report.unified import UnifiedReportError, generate_unified_report
+        # Determine output path for unified report
+        if output_path:
+            # --output flag provided: use it for unified report
+            unified_report_path = Path(output_path).expanduser().resolve()
+            # Security: Validate path (ASVS V5.3.3)
+            if not is_within_base(base_dir, unified_report_path):
+                # Allow explicit paths outside base_dir, but warn
+                console.print(
+                    f"[warning]Writing outside kekkai home: {unified_report_path}[/warning]"
+                )
+        else:
+            # Default: save in run directory
+            unified_report_path = run_dir / "kekkai-report.json"
+        try:
+            generate_unified_report(
+                scan_results=scan_results,
+                output_path=unified_report_path,
+                run_id=run_id,
+                commit_sha=commit_sha,
+            )
+            console.print(f"[success]Unified report:[/success] {unified_report_path}")
+        except UnifiedReportError as e:
+            err_msg = sanitize_error(str(e))
+            console.print(f"[warning]Failed to generate unified report: {err_msg}[/warning]")
     # Collect all findings for policy evaluation
     all_findings: list[Finding] = []
     scan_errors: list[str] = []
@@ -822,6 +852,26 @@ def _resolve_github_repo(override: str | None) -> tuple[str | None, str | None]:
     return None, None
+def _normalize_scanner_name(stem: str) -> str:
+    """Normalize filename stem to scanner name.
+    Strips the "-results" suffix from scanner output filenames.
+    Examples:
+        gitleaks-results -> gitleaks
+        trivy-results -> trivy
+        semgrep-results -> semgrep
+        custom-scanner -> custom-scanner
+    Args:
+        stem: File stem (name without extension).
+    Returns:
+        Normalized scanner name.
+    """
+    return stem.removesuffix("-results")
 def _create_scanner(
     name: str,
     zap_target_url: str | None = None,
@@ -1106,22 +1156,57 @@ def _threatflow_banner() -> str:
 def _command_triage(parsed: argparse.Namespace) -> int:
     """Run interactive triage TUI."""
     from .triage import run_triage
+    from .triage.loader import load_findings_from_path
     input_path_str = cast(str | None, getattr(parsed, "input", None))
     output_path_str = cast(str | None, getattr(parsed, "output", None))
-    input_path = Path(input_path_str).expanduser().resolve() if input_path_str else None
-    output_path = Path(output_path_str).expanduser().resolve() if output_path_str else None
+    # Default to latest run if no input specified
+    if not input_path_str:
+        runs_dir = app_base_dir() / "runs"
+        if runs_dir.exists():
+            run_dirs = sorted(
+                [d for d in runs_dir.iterdir() if d.is_dir()],
+                key=lambda d: d.stat().st_mtime,
+            )
+            if run_dirs:
+                input_path = run_dirs[-1]
+                console.print(f"[info]Using latest run: {input_path.name}[/info]\n")
+            else:
+                console.print("[danger]No scan runs found. Run 'kekkai scan' first.[/danger]")
+                return 1
+        else:
+            console.print("[danger]No scan runs found. Run 'kekkai scan' first.[/danger]")
+            return 1
+    else:
+        input_path = Path(input_path_str).expanduser().resolve()
-    if input_path and not input_path.exists():
-        console.print(f"[danger]Error:[/danger] Input file not found: {input_path}")
+    if not input_path.exists():
+        console.print(f"[danger]Error:[/danger] Input not found: {input_path}")
         return 1
+    output_path = Path(output_path_str).expanduser().resolve() if output_path_str else None
     console.print("[bold cyan]Kekkai Triage[/bold cyan] - Interactive Finding Review")
     console.print("Use j/k to navigate, f=false positive, c=confirmed, d=deferred")
     console.print("Press Ctrl+S to save, q to quit\n")
-    return run_triage(input_path=input_path, output_path=output_path)
+    # Use new loader that supports raw scanner outputs
+    findings, errors = load_findings_from_path(input_path)
+    if errors:
+        console.print("[warning]Warnings:[/warning]")
+        for err in errors[:5]:  # Limit to first 5
+            console.print(f"  - {err}")
+        console.print()
+    if not findings:
+        console.print("[warning]No findings to triage.[/warning]")
+        return 0
+    console.print(f"[info]Loaded {len(findings)} finding(s)[/info]\n")
+    return run_triage(findings=findings, output_path=output_path)
 def _command_fix(parsed: argparse.Namespace) -> int:
@@ -1414,9 +1499,13 @@ def _command_upload(parsed: argparse.Namespace) -> int:
     console.print(f"Product: {product_name}")
     console.print(f"Engagement: {engagement_name}")
-    # Find and load scan results
-    scan_files = list(run_dir.glob("*.json"))
-    scan_files = [f for f in scan_files if f.name not in ("run.json", "policy-result.json")]
+    # Find and load scan results - prefer *-results.json first
+    scan_files = sorted(run_dir.glob("*-results.json"))
+    if not scan_files:
+        # Fallback to all JSON (excluding metadata files)
+        scan_files = sorted(
+            [f for f in run_dir.glob("*.json") if f.name not in ("run.json", "policy-result.json")]
+        )
     if not scan_files:
         console.print(f"[danger]Error:[/danger] No scan results found in {run_dir}")
@@ -1429,35 +1518,39 @@ def _command_upload(parsed: argparse.Namespace) -> int:
     scanners_map: dict[str, Scanner] = {}
     for scan_file in scan_files:
-        scanner_name = scan_file.stem  # e.g., "trivy", "semgrep", "gitleaks"
+        # Normalize scanner name: "gitleaks-results" -> "gitleaks"
+        scanner_name = _normalize_scanner_name(scan_file.stem)
         console.print(f"  Loading {scanner_name}...")
+        # Load raw JSON
         try:
-            with scan_file.open() as f:
-                data = _json.load(f)
-        except _json.JSONDecodeError as e:
+            raw_text = scan_file.read_text(encoding="utf-8")
+            _json.loads(raw_text)  # Validate JSON syntax
+        except (OSError, _json.JSONDecodeError) as e:
             console.print(f"    [warning]Skipped (invalid JSON): {e}[/warning]")
             continue
-        # Parse findings based on format
-        findings = _parse_findings_from_json(data)
-        if findings:
-            scan_results.append(
-                ScanResult(
-                    scanner=scanner_name,
-                    success=True,
-                    findings=findings,
-                    raw_output_path=scan_file,
-                    duration_ms=0,
-                )
+        # Create scanner and use canonical parser
+        scanner = _create_scanner(scanner_name)
+        if not scanner:
+            console.print("    [warning]Skipped (unknown scanner)[/warning]")
+            continue
+        # Use canonical scanner parser (reuses validated logic)
+        findings = scanner.parse(raw_text)
+        scan_results.append(
+            ScanResult(
+                scanner=scanner.name,  # Use canonical scanner name
+                success=True,
+                findings=findings,
+                raw_output_path=scan_file,
+                duration_ms=0,
             )
-            # Create scanner instance for import
-            scanner = _create_scanner(scanner_name)
-            if scanner:
-                scanners_map[scanner_name] = scanner
+        )
+        scanners_map[scanner.name] = scanner
-            console.print(f"    {len(findings)} findings")
+        console.print(f"    {len(findings)} finding(s)")
     if not scan_results:
         console.print("[danger]Error:[/danger] No valid scan results to upload")
@@ -1493,11 +1586,9 @@ def _command_upload(parsed: argparse.Namespace) -> int:
     )
     success_count = 0
-    scanner_names_list = list(scanners_map.keys())
     for idx, ir in enumerate(import_results):
-        scanner_label = (
-            scanner_names_list[idx] if idx < len(scanner_names_list) else f"scanner-{idx}"
-        )
+        # Label based on actual scan_results order (not scanners_map keys)
+        scanner_label = scan_results[idx].scanner if idx < len(scan_results) else f"scanner-{idx}"
         if ir.success:
             success_count += 1
             console.print(

{kekkai_cli-1.1.0 → kekkai_cli-1.1.1}/src/kekkai/dojo_import.py RENAMED Viewed

@@ -61,7 +61,15 @@ class DojoClient:
         try:
             with urlopen(req, timeout=self._timeout) as resp:  # noqa: S310  # nosec B310
-                return json.loads(resp.read().decode()) if resp.read else {}
+                raw_bytes = resp.read()  # Call once and store result
+                if not raw_bytes:  # Check bytes, not method
+                    return {}
+                try:
+                    result: dict[str, Any] = json.loads(raw_bytes.decode())
+                    return result
+                except json.JSONDecodeError:
+                    # Empty or invalid JSON response - return empty dict
+                    return {}
         except HTTPError as exc:
             error_body = exc.read().decode() if exc.fp else str(exc)
             raise RuntimeError(f"Dojo API error {exc.code}: {error_body}") from exc

{kekkai_cli-1.1.0 → kekkai_cli-1.1.1}/src/kekkai/output.py RENAMED Viewed

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
-VERSION = "1.1.0"
+VERSION = "1.1.1"
 def print_dashboard() -> None:

kekkai-cli 1.1.0__tar.gz → 1.1.1__tar.gz

kekkai-cli 1.1.0tar.gz → 1.1.1tar.gz