PyPI - kekkai-cli - Versions diffs - 2.0.1__tar.gz → 2.2.0__tar.gz - Mend

kekkai-cli 2.0.1tar.gz → 2.2.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (147) hide show

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 2.0.1
+Version: 2.2.0
 Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown
@@ -14,19 +14,20 @@ Requires-Dist: jinja2>=3.1.6
   <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
 </p>
-<p align="center"><strong>Stop parsing JSON. Security triage in your terminal.</strong></p>
+<p align="center"><strong>Interactive security triage in the terminal.</strong></p>
 <p align="center">
   <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
   <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
-  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
+  <img alt="PyPI - Version" src="https://img.shields.io/pypi/v/kekkai-cli">
 </p>
 ---
 # Kekkai
-**Interactive security triage in the terminal.**
+**Stop parsing JSON.**
 Kekkai is a small open-source CLI that wraps existing security scanners (Trivy, Semgrep, Gitleaks) and focuses on the part that tends to be slow and frustrating: reviewing and triaging results.
@@ -73,6 +74,17 @@ kekkai triage
 # Interactive TUI to review findings with keyboard navigation
 ```
+### ⚡️ Auto-Install (Pre-commit)
+Add this to your `.pre-commit-config.yaml` to scan on every commit:
+```yaml
+  - repo: [https://github.com/kademoslabs/kekkai](https://github.com/kademoslabs/kekkai)
+    rev: v2.0.1
+    hooks:
+      - id: kekkai-scan
+```
 No signup, no cloud service required.
 ---
@@ -114,34 +126,11 @@ kekkai triage
 ---
-### CI/CD Policy Gate
-Break builds on severity thresholds.
-Kekkai can be used as a CI gate based on severity thresholds.
+### 🚦 CI/CD in 1 Second
+Don't write YAML. Run this in your repo:
 ```bash
-# Fail on any critical or high findings
-kekkai scan --ci --fail-on high
-# Fail only on critical
-kekkai scan --ci --fail-on critical
-```
-**Exit Codes:**
-| Code | Meaning |
-|------|---------|
-| 0 | No findings above threshold |
-| 1 | Findings exceed threshold |
-| 2 | Scanner error |
-**GitHub Actions Example:**
-```yaml
-- name: Security Scan
-  run: |
-    pipx install kekkai-cli
-    kekkai scan --ci --fail-on high
+kekkai init --ci
 ```
 [Full CI Documentation →](docs/ci/ci-mode.md)

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/README.md RENAMED Viewed

@@ -2,19 +2,20 @@
   <img src="https://raw.githubusercontent.com/kademoslabs/assets/main/logos/kekkai-slim.png" alt="Kekkai CLI Logo" width="250"/>
 </p>
-<p align="center"><strong>Stop parsing JSON. Security triage in your terminal.</strong></p>
+<p align="center"><strong>Interactive security triage in the terminal.</strong></p>
 <p align="center">
   <img src="https://img.shields.io/github/actions/workflow/status/kademoslabs/kekkai/docker-publish.yml?logo=github"/>
   <img src="https://img.shields.io/circleci/build/github/kademoslabs/kekkai?logo=circleci"/>
-  <img src="https://img.shields.io/pypi/v/kekkai-cli?pypiBaseUrl=https%3A%2F%2Fpypi.org&logo=pypi"/>
+  <img alt="PyPI - Version" src="https://img.shields.io/pypi/v/kekkai-cli">
 </p>
 ---
 # Kekkai
-**Interactive security triage in the terminal.**
+**Stop parsing JSON.**
 Kekkai is a small open-source CLI that wraps existing security scanners (Trivy, Semgrep, Gitleaks) and focuses on the part that tends to be slow and frustrating: reviewing and triaging results.
@@ -61,6 +62,17 @@ kekkai triage
 # Interactive TUI to review findings with keyboard navigation
 ```
+### ⚡️ Auto-Install (Pre-commit)
+Add this to your `.pre-commit-config.yaml` to scan on every commit:
+```yaml
+  - repo: [https://github.com/kademoslabs/kekkai](https://github.com/kademoslabs/kekkai)
+    rev: v2.0.1
+    hooks:
+      - id: kekkai-scan
+```
 No signup, no cloud service required.
 ---
@@ -102,34 +114,11 @@ kekkai triage
 ---
-### CI/CD Policy Gate
-Break builds on severity thresholds.
-Kekkai can be used as a CI gate based on severity thresholds.
+### 🚦 CI/CD in 1 Second
+Don't write YAML. Run this in your repo:
 ```bash
-# Fail on any critical or high findings
-kekkai scan --ci --fail-on high
-# Fail only on critical
-kekkai scan --ci --fail-on critical
-```
-**Exit Codes:**
-| Code | Meaning |
-|------|---------|
-| 0 | No findings above threshold |
-| 1 | Findings exceed threshold |
-| 2 | Scanner error |
-**GitHub Actions Example:**
-```yaml
-- name: Security Scan
-  run: |
-    pipx install kekkai-cli
-    kekkai scan --ci --fail-on high
+kekkai init --ci
 ```
 [Full CI Documentation →](docs/ci/ci-mode.md)

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [project]
 name = "kekkai-cli"
-version = "2.0.1"
+version = "2.2.0"
 description = "Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -21,7 +21,7 @@ line-length = 100
 extend-exclude = ["dist", "build", ".venv"]
 lint.select = ["E", "F", "I", "B", "UP", "S", "SIM"]
 lint.ignore = ["S101"]  # allow asserts in tests
-lint.per-file-ignores = { "tests/**" = ["S"], "src/kekkai_core/docker/**" = ["S603"], "src/kekkai_core/slsa/**" = ["S603", "S607"], "src/kekkai/github/**" = ["S105"] }
+lint.per-file-ignores = { "tests/**" = ["S", "SIM117"], "src/kekkai_core/docker/**" = ["S603"], "src/kekkai_core/slsa/**" = ["S603", "S607"], "src/kekkai/github/**" = ["S105"] }
 [tool.mypy]
 python_version = "3.12"

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/src/kekkai/cli.py RENAMED Viewed

@@ -221,6 +221,17 @@ def main(argv: Sequence[str] | None = None) -> int:
         type=str,
         help="Path for .kekkaiignore output (default: .kekkaiignore)",
     )
+    triage_parser.add_argument(
+        "--repo",
+        type=str,
+        help="Repository root path (default: auto-detect from run.json)",
+    )
+    triage_parser.add_argument(
+        "--context-lines",
+        type=int,
+        default=10,
+        help="Context lines before/after line (default: 10, range: 5-100)",
+    )
     # Fix subcommand - AI-powered remediation
     fix_parser = subparsers.add_parser("fix", help="generate AI-powered code fixes for findings")
@@ -1186,6 +1197,11 @@ def _command_triage(parsed: argparse.Namespace) -> int:
     input_path_str = cast(str | None, getattr(parsed, "input", None))
     output_path_str = cast(str | None, getattr(parsed, "output", None))
+    repo_path_str = cast(str | None, getattr(parsed, "repo", None))
+    context_lines = cast(int, getattr(parsed, "context_lines", 10))
+    # Validate context_lines range
+    context_lines = max(5, min(100, context_lines))
     # Default to latest run if no input specified
     if not input_path_str:
@@ -1232,7 +1248,36 @@ def _command_triage(parsed: argparse.Namespace) -> int:
     console.print(f"[info]Loaded {len(findings)} finding(s)[/info]\n")
-    return run_triage(findings=findings, output_path=output_path)
+    # Auto-detect repo_path from run.json if not explicitly provided
+    repo_path: Path | None = None
+    if repo_path_str:
+        repo_path = Path(repo_path_str).expanduser().resolve()
+    elif input_path.is_dir():
+        # Try to read repo_path from run.json
+        manifest_path = input_path / "run.json"
+        if manifest_path.exists():
+            try:
+                import json
+                with manifest_path.open() as f:
+                    manifest_data = json.load(f)
+                stored_repo = manifest_data.get("repo_path")
+                if stored_repo:
+                    repo_path = Path(stored_repo).expanduser().resolve()
+                    console.print(f"[dim]Using repo path from run metadata: {repo_path}[/dim]\n")
+            except (OSError, json.JSONDecodeError, KeyError):
+                pass
+    # Fall back to current directory if still not set
+    if repo_path is None:
+        repo_path = Path.cwd()
+    return run_triage(
+        findings=findings,
+        output_path=output_path,
+        repo_path=repo_path,
+        context_lines=context_lines,
+    )
 def _command_fix(parsed: argparse.Namespace) -> int:

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/src/kekkai/output.py RENAMED Viewed

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
-VERSION = "2.0.1"
+VERSION = "2.2.0"
 def print_dashboard() -> None:

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/src/kekkai/triage/__init__.py RENAMED Viewed

@@ -29,6 +29,8 @@ def run_triage(
     input_path: Path | None = None,
     output_path: Path | None = None,
     findings: Sequence[FindingEntry] | None = None,
+    repo_path: Path | None = None,
+    context_lines: int = 10,
 ) -> int:
     """Run the triage TUI (lazy import).
@@ -36,6 +38,8 @@ def run_triage(
         input_path: Path to findings JSON file.
         output_path: Path for .kekkaiignore output.
         findings: Pre-loaded findings (alternative to input_path).
+        repo_path: Repository root path for code context display.
+        context_lines: Number of lines to show before/after vulnerable line.
     Returns:
         Exit code (0 for success).
@@ -50,6 +54,8 @@ def run_triage(
             input_path=input_path,
             output_path=output_path,
             findings=findings,
+            repo_path=repo_path,
+            context_lines=context_lines,
         )
     except ImportError as e:
         raise RuntimeError(

{kekkai_cli-2.0.1 → kekkai_cli-2.2.0}/src/kekkai/triage/app.py RENAMED Viewed

@@ -51,6 +51,8 @@ class TriageApp(App[None]):
         input_path: Path | None = None,
         output_path: Path | None = None,
         audit_path: Path | None = None,
+        repo_path: Path | None = None,
+        context_lines: int = 10,
     ) -> None:
         """Initialize triage application.
@@ -59,6 +61,8 @@ class TriageApp(App[None]):
             input_path: Path to findings JSON file.
             output_path: Path for .kekkaiignore output.
             audit_path: Path for audit log.
+            repo_path: Repository root path for code context display.
+            context_lines: Number of lines to show before/after vulnerable line.
         """
         super().__init__()
         self._input_path = input_path
@@ -66,6 +70,8 @@ class TriageApp(App[None]):
         self.ignore_file = IgnoreFile(output_path)
         self.audit_log = TriageAuditLog(audit_path)
         self._decisions: dict[str, TriageDecision] = {}
+        self.repo_path = repo_path or Path.cwd()
+        self.context_lines = context_lines
     @property
     def findings(self) -> list[FindingEntry]:
@@ -148,6 +154,8 @@ def run_triage(
     input_path: Path | None = None,
     output_path: Path | None = None,
     findings: Sequence[FindingEntry] | None = None,
+    repo_path: Path | None = None,
+    context_lines: int = 10,
 ) -> int:
     """Run the triage TUI.
@@ -155,6 +163,8 @@ def run_triage(
         input_path: Path to findings JSON file.
         output_path: Path for .kekkaiignore output.
         findings: Pre-loaded findings (alternative to input_path).
+        repo_path: Repository root path for code context display.
+        context_lines: Number of lines to show before/after vulnerable line.
     Returns:
         Exit code (0 for success).
@@ -163,6 +173,8 @@ def run_triage(
         findings=findings,
         input_path=input_path,
         output_path=output_path,
+        repo_path=repo_path,
+        context_lines=context_lines,
     )
     app.run()
     return 0

kekkai_cli-2.2.0/src/kekkai/triage/code_context.py ADDED Viewed

@@ -0,0 +1,345 @@
+"""Code context extraction for triage TUI.
+Provides secure code context extraction with security controls:
+- Path traversal protection (ASVS V5.3.3)
+- File size limits (ASVS V10.3.3)
+- Sensitive file detection (ASVS V8.3.4)
+- Error sanitization (ASVS V7.4.1)
+"""
+from __future__ import annotations
+import logging
+from dataclasses import dataclass
+from pathlib import Path
+from ..fix.prompts import FixPromptBuilder
+logger = logging.getLogger(__name__)
+__all__ = [
+    "CodeContext",
+    "CodeContextExtractor",
+]
+# Security limits per ASVS V10.3.3
+MAX_FILE_SIZE_MB = 10
+# Sensitive file extensions to block (ASVS V8.3.4)
+SENSITIVE_EXTENSIONS = {
+    ".env",
+    ".pem",
+    ".key",
+    ".crt",
+    ".p12",
+    ".pfx",
+    ".jks",
+    ".keystore",
+    ".pub",
+    "id_rsa",
+    "id_dsa",
+    "id_ecdsa",
+    "id_ed25519",
+}
+# Binary file extensions to skip
+BINARY_EXTENSIONS = {
+    ".pyc",
+    ".pyo",
+    ".so",
+    ".dll",
+    ".dylib",
+    ".exe",
+    ".bin",
+    ".class",
+    ".jar",
+    ".war",
+    ".ear",
+    ".png",
+    ".jpg",
+    ".jpeg",
+    ".gif",
+    ".bmp",
+    ".ico",
+    ".pdf",
+    ".zip",
+    ".tar",
+    ".gz",
+    ".bz2",
+    ".7z",
+    ".rar",
+    ".whl",
+    ".egg",
+}
+@dataclass
+class CodeContext:
+    """Code context with syntax highlighting metadata.
+    Attributes:
+        code: Formatted code with line numbers and >>> marker.
+        language: Detected programming language for syntax highlighting.
+        vulnerable_line: The specific vulnerable line text.
+        error: Error message if extraction failed (None on success).
+    """
+    code: str
+    language: str
+    vulnerable_line: str
+    error: str | None = None
+class CodeContextExtractor:
+    """Extracts code context from files with security controls.
+    Security features:
+    - Path validation to prevent traversal attacks (ASVS V5.3.3)
+    - File size limits to prevent DoS (ASVS V10.3.3)
+    - Sensitive file detection (ASVS V8.3.4)
+    - Sanitized error messages (ASVS V7.4.1)
+    Performance features:
+    - LRU cache for file contents (max 20 files, ~200KB per file = ~4MB total)
+    - Reduces re-reads when navigating between findings in same files
+    """
+    def __init__(self, repo_path: Path, max_file_size_mb: int = MAX_FILE_SIZE_MB) -> None:
+        """Initialize code context extractor.
+        Args:
+            repo_path: Repository root path (for path validation).
+            max_file_size_mb: Maximum file size in MB (DoS protection).
+        """
+        self.repo_path = repo_path.resolve()
+        self.max_file_size_mb = max_file_size_mb
+        self._prompt_builder = FixPromptBuilder(context_lines=10)
+        # Simple LRU cache: {file_path: file_content}
+        # Limited to 20 files to prevent memory bloat
+        self._file_cache: dict[str, str] = {}
+        self._cache_max_size = 20
+    def extract(self, file_path: str, line: int | None) -> CodeContext | None:
+        """Extract code context from a file.
+        Args:
+            file_path: Relative or absolute path to the file.
+            line: Line number (1-indexed) of the vulnerability.
+        Returns:
+            CodeContext object with code and metadata, or None if unavailable.
+        Security:
+            - Path validation (ASVS V5.3.3)
+            - Size limits (ASVS V10.3.3)
+            - Sensitive file blocking (ASVS V8.3.4)
+            - Error sanitization (ASVS V7.4.1)
+        """
+        if not file_path or not line:
+            return None
+        # Resolve path
+        try:
+            full_path = (self.repo_path / file_path).resolve()
+        except (ValueError, OSError):
+            # ASVS V7.4.1: Sanitized error (no full path)
+            logger.warning(
+                "code_context_path_invalid",
+                extra={"file_path": Path(file_path).name, "reason": "invalid_path"},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="Invalid file path",
+            )
+        # ASVS V5.3.3: Path traversal check
+        if not self._validate_path(full_path):
+            logger.warning(
+                "code_context_path_traversal",
+                extra={"file_path": Path(file_path).name, "reason": "path_traversal"},
+            )
+            return None
+        # Check if file exists
+        if not full_path.exists():
+            logger.info(
+                "code_context_file_not_found",
+                extra={"file_path": Path(file_path).name},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="File not found",
+            )
+        # ASVS V8.3.4: Sensitive file check
+        if self._is_sensitive_file(full_path):
+            logger.info(
+                "code_context_sensitive_file",
+                extra={"file_path": Path(file_path).name},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error="Code hidden (sensitive file type)",
+            )
+        # Binary file check
+        if not self._is_text_file(full_path):
+            logger.info(
+                "code_context_binary_file",
+                extra={"file_path": Path(file_path).name},
+            )
+            return None
+        # ASVS V10.3.3: File size check
+        size_mb = full_path.stat().st_size / (1024 * 1024)
+        if size_mb > self.max_file_size_mb:
+            logger.warning(
+                "code_context_file_too_large",
+                extra={"file_path": Path(file_path).name, "size_mb": f"{size_mb:.1f}"},
+            )
+            return CodeContext(
+                code="",
+                language="",
+                vulnerable_line="",
+                error=f"File too large for display ({size_mb:.1f}MB)",
+            )
+        # Read file content (with caching for performance)
+        cache_key = str(full_path)
+        if cache_key in self._file_cache:
+            file_content = self._file_cache[cache_key]
+        else:
+            try:
+                file_content = full_path.read_text(encoding="utf-8")
+                # Cache the content
+                self._file_cache[cache_key] = file_content
+                # Evict oldest entry if cache is full (simple FIFO)
+                if len(self._file_cache) > self._cache_max_size:
+                    # Remove first (oldest) entry
+                    oldest_key = next(iter(self._file_cache))
+                    del self._file_cache[oldest_key]
+            except (OSError, UnicodeDecodeError) as e:
+                # ASVS V7.4.1: Sanitized error
+                logger.warning(
+                    "code_context_read_error",
+                    extra={"file_path": Path(file_path).name, "error": str(e)},
+                )
+                return CodeContext(
+                    code="",
+                    language="",
+                    vulnerable_line="",
+                    error="Cannot read file",
+                )
+        # Extract code context using existing logic from fix engine
+        code_context, vulnerable_line = self._prompt_builder.extract_code_context(
+            file_content, line
+        )
+        # Detect language for syntax highlighting
+        language = self._detect_language(full_path)
+        return CodeContext(
+            code=code_context,
+            language=language,
+            vulnerable_line=vulnerable_line,
+            error=None,
+        )
+    def _validate_path(self, path: Path) -> bool:
+        """Validate that path is within repo_path (prevent traversal).
+        Args:
+            path: Resolved path to validate.
+        Returns:
+            True if path is safe, False otherwise.
+        Security:
+            ASVS V5.3.3: Path validation to prevent directory traversal.
+        """
+        try:
+            # Check if path is within repo_path
+            path.relative_to(self.repo_path)
+            return True
+        except ValueError:
+            return False
+    def _is_text_file(self, path: Path) -> bool:
+        """Check if file is a text file (not binary).
+        Args:
+            path: Path to check.
+        Returns:
+            True if likely a text file, False if binary.
+        """
+        suffix = path.suffix.lower()
+        name = path.name.lower()
+        # Check against binary extensions
+        if suffix in BINARY_EXTENSIONS:
+            return False
+        # Special cases without extensions
+        if name in ("dockerfile", "makefile", "vagrantfile", "jenkinsfile"):
+            return True
+        return True
+    def _is_sensitive_file(self, path: Path) -> bool:
+        """Check if file contains sensitive data (secrets, keys).
+        Args:
+            path: Path to check.
+        Returns:
+            True if file is sensitive and should not be displayed.
+        Security:
+            ASVS V8.3.4: Prevent sensitive data in outputs.
+        """
+        suffix = path.suffix.lower()
+        name = path.name.lower()
+        # Check extension
+        if suffix in SENSITIVE_EXTENSIONS:
+            return True
+        # Check if the entire filename (including leading dot) matches sensitive patterns
+        # For files like .env, .pem, etc., the suffix is empty but name includes the dot
+        if name in {".env", ".pem", ".key", ".crt"}:
+            return True
+        # Check filename patterns
+        return any(
+            pattern in name
+            for pattern in [
+                "secret",
+                "credential",
+                "password",
+                "token",
+                "apikey",
+                "private_key",
+                "id_rsa",
+                "id_dsa",
+                "id_ecdsa",
+            ]
+        )
+    def _detect_language(self, path: Path) -> str:
+        """Detect programming language from file extension.
+        Args:
+            path: Path to the file.
+        Returns:
+            Language identifier for syntax highlighting.
+        """
+        return self._prompt_builder._detect_language(str(path))

kekkai-cli 2.0.1__tar.gz → 2.2.0__tar.gz

kekkai-cli 2.0.1tar.gz → 2.2.0tar.gz