kekkai-cli 1.1.0

Kekkai monorepo (local-first AppSec orchestration + compliance checker)

Security orchestration at developer speed.

One tool for the entire AppSec lifecycle: Predict, Detect, Triage, Manage.

---

Kekkai

Stop juggling security tools. Kekkai orchestrates your entire AppSec lifecycle — from AI-powered threat modeling to vulnerability management — in a single CLI.

---

The Five Pillars

Pillar	Feature	Command	Description
🔮 Predict	AI Threat Modeling	kekkai threatflow	Generate STRIDE threat models before writing code
🔍 Detect	Unified Scanning	kekkai scan	Run Trivy, Semgrep, Gitleaks in isolated containers
✅ Triage	Interactive Review	kekkai triage	Review findings in a terminal UI, mark false positives
🚦 Gate	CI/CD Policy	kekkai scan --ci	Break builds on severity thresholds
📊 Manage	DefectDojo	kekkai dojo up	Spin up vulnerability management in 60 seconds

---

Quick Start (60 Seconds)

1. Install

pipx install kekkai-cli

2. Predict (Threat Model)

kekkai threatflow --repo . --model-mode local
# Generates THREATS.md with STRIDE analysis and Data Flow Diagram

3. Detect (Scan)

kekkai scan
# Runs Trivy (CVEs), Semgrep (code), Gitleaks (secrets)
# Outputs unified kekkai-report.json

4. Triage (Review)

kekkai triage
# Interactive TUI to accept, reject, or ignore findings

5. Manage (DefectDojo)

kekkai dojo up --wait
kekkai upload
# Full vulnerability management platform + automated import

---

Why Kekkai?

Capability	Manual Approach	Kekkai
Tooling	Install/update 5+ tools individually	One binary, auto-pulls scanner containers
Output	Parse 5 different JSON formats	Unified kekkai-report.json
Threat Modeling	Expensive consultants or whiteboarding	AI-generated THREATS.md locally
DefectDojo	200-line docker-compose + debugging	kekkai dojo up (one command)
Triage	Read JSON files manually	Interactive terminal UI
CI/CD	Complex bash scripts	kekkai scan --ci --fail-on high
PR Feedback	Manual security review comments	Auto-comments on GitHub PRs

---

Feature Deep Dives

🔮 ThreatFlow — AI-Powered Threat Modeling

Generate STRIDE-aligned threat models and Mermaid.js Data Flow Diagrams from your codebase.

# Ollama (recommended - easy setup, privacy-preserving)
ollama pull mistral
kekkai threatflow --repo . --model-mode ollama --model-name mistral

# Local GGUF model (requires llama-cpp-python)
kekkai threatflow --repo . --model-mode local --model-path ./mistral-7b.gguf

# Remote API (faster, requires API key)
export KEKKAI_THREATFLOW_API_KEY="sk-..."
kekkai threatflow --repo . --model-mode openai

Output: THREATS.md containing:

• Attack surface analysis
• STRIDE threat classification
• Mermaid.js architecture diagram
• Recommended mitigations

Full ThreatFlow Documentation →

---

🔍 Unified Scanning

Run industry-standard scanners without installing them individually. Each scanner runs in an isolated Docker container with security hardening.

kekkai scan                          # Scan current directory
kekkai scan --repo /path/to/project  # Scan specific path
kekkai scan --output results.json    # Custom output path

Scanners Included:

Scanner	Finds	Image
Trivy	CVEs in dependencies	aquasec/trivy:latest
Semgrep	Code vulnerabilities	semgrep/semgrep:latest
Gitleaks	Hardcoded secrets	zricethezav/gitleaks:latest

Container Security:

• Read-only filesystem
• No network access
• Memory limited (2GB)
• No privilege escalation

---

✅ Interactive Triage TUI

Stop reading JSON. Review security findings in your terminal.

kekkai triage

Features:

• Navigate findings with keyboard
• Mark as: Accept, Reject, False Positive, Ignore
• Filter by severity, scanner, or status
• Persist decisions in .kekkai-ignore
• Export triaged results

Full Triage Documentation →

---

🚦 CI/CD Policy Gate

Automate security enforcement in your pipelines.

# Fail on any critical or high findings
kekkai scan --ci --fail-on high

# Fail only on critical
kekkai scan --ci --fail-on critical

# Custom threshold: fail on 5+ medium findings
kekkai scan --ci --fail-on medium --max-findings 5

Exit Codes:

Code	Meaning
0	No findings above threshold
1	Findings exceed threshold
2	Scanner error

GitHub Actions Example:

- name: Security Scan
  run: |
    pipx install kekkai-cli
    kekkai scan --ci --fail-on high

Full CI Documentation →

---

📊 DefectDojo Integration

Spin up a complete vulnerability management platform locally.

kekkai dojo up --wait    # Start DefectDojo (Nginx, Postgres, Redis, Celery)
kekkai dojo status       # Check service health
kekkai upload            # Import scan results
kekkai dojo down         # Stop and clean up (removes volumes)

What You Get:

• DefectDojo web UI at http://localhost:8080
• Automatic credential generation
• Pre-configured for Kekkai imports
• Clean teardown (no orphaned volumes)

Full Dojo Documentation →

---

🔔 GitHub PR Comments

Get security feedback directly in pull requests.

export GITHUB_TOKEN="ghp_..."
kekkai scan --github-comment

Kekkai will:

1. Run all scanners
2. Post findings as PR review comments
3. Annotate specific lines with inline comments

---

Installation

pipx (Recommended)

Isolated environment, no conflicts with system Python.

pipx install kekkai-cli

Homebrew (macOS/Linux)

brew install kademoslabs/tap/kekkai

Scoop (Windows)

scoop bucket add kademoslabs https://github.com/kademoslabs/scoop-bucket
scoop install kekkai

Docker (No Python Required)

docker pull kademoslabs/kekkai:latest
alias kekkai='docker run --rm -v "$(pwd):/repo" kademoslabs/kekkai:latest'

pip (Traditional)

pip install kekkai-cli

---

Enterprise Features — Kekkai Portal

For teams that need centralized management, Kekkai Portal provides:

Feature	Description
SAML 2.0 SSO	Integrate with Okta, Azure AD, Google Workspace (Setup Guide)
Role-Based Access Control	Fine-grained permissions per team/project (RBAC Guide)
Multi-Tenant Architecture	Isolated environments per organization (Architecture)
Aggregated Dashboards	Centralized view of all CLI scan results
Audit Logging	Cryptographically signed compliance trails

Upgrade Path:

• CLI users can sync results to Portal: kekkai upload (Sync Guide)
• Portal provides dashboards for security managers
• Self-hosted or Kademos-managed options (Deployment Guide)

Contact us for Portal access →

---

Security

Kekkai is designed with security as a core principle:

• Container Isolation: Scanners run in hardened Docker containers
• No Network Access: Containers cannot reach external networks
• Local-First AI: ThreatFlow can run entirely on your machine
• SLSA Level 3: Release artifacts include provenance attestations
• Signed Images: Docker images are Cosign-signed

For vulnerability reports, see SECURITY.md.

---

Documentation

Guide	Description
Installation	All installation methods
ThreatFlow	AI threat modeling setup
Dojo Quick Start	DefectDojo in 5 minutes
CI Mode	Pipeline integration
Portal	Enterprise features overview
Portal SSO	SAML 2.0 SSO configuration
Portal RBAC	Role-based access control
Portal Deployment	Self-hosted deployment
Security	SLSA provenance verification

---

CI/CD Status

---

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

---

License

Apache-2.0 — See LICENSE for details.

---

Built by Kademos Labs