Skip to main content

Merge reports from multiple tools into a single file

Project description


PyPI License Python version Build Tests Pylint

Merge reports from multiple tools into a single file.


Install ReportMix from PyPI:

pip install reportmix


Merge reports using the command-line interface:



Argument Description
-h, --help Show the help message and exit
-V, --version Show program's version number and exit
-v, --verbose Run verbosely (display DEBUG logging)
--output_dir OUTPUT_DIR The location to write the report
--config_file CONFIG_FILE The path to the configuration file
--formats FORMATS Report formats to be generated (csv, json, html)
--fields FIELDS Fields to include in the output report (CSV and HTML only)
--hash HASH Fields to use for hash generation
--title TITLE The HTML report title
--logo LOGO The URL to the organization logo to display on the HTML report
--meta.* User-defined metadata fields

Run reportmix --help to show the full help message.

Some properties (formats, fields, hash, ...) support a single value or a comma-separated list of items (e.g. --formats "csv,html,json").

Tool-specific configuration arguments are documented in the help message and below.


Configure the merging process using command-line arguments or create a configuration file .reportmix in the working directory:

title=Analysis report

organization=Acme Corporation





This configuration can also be passed as command-line arguments:

reportmix --output_dir target --formats "html,csv,json" \
    --fields [...] --title "Analysis report" --logo "" \
    --meta.organization "Acme Corporation" \
    --dependency_check.report_file "target/dependency-check-report.csv" \
    --npm_audit.report_file "web-app/npm-audit.json" \
    --sonarqube.host_url "http://sonarqube.acme.corp" --sonarqube.project_key "acme:myproject" \
    --reportmix.report_file "sub-project/reportmix.csv"

Metadata fields

Metadata fields allow to define some fields for each issue in the configuration:

Name Description Default value
product The product name
version The product version
organization The organization name
client The client name
audit_date The audit date now()


hash is a special field. It is not extracted from the reports data but computed using some of the issue fields to create a stable unique identifier. If multiple issues, in a single merged report or in different reports, generated at different times, have the same hash value, we can consider they are the same, so solving one of them will solve the others. It can be especially useful for computing a delta between multiple reports, tracking issues fixes, etc.

Supported reports

Reports produced by the following tools are currently supported:

  • Dependency-Check: load a vulnerability report generated by OWASP dependency check (CSV required, JSON optional), version 5.x is recommended
  • npm audit: load a security audit generated by npm-audit CLI command (JSON format only), npm@6 is required
  • SonarQube: load code quality analysis results from a SonarQube instance, version 7.x is required
  • ReportMix: load a report (CSV format) generated by ReportMix or manually created

Contributions to improve existing report loaders or add new ones are welcome!

Dependency-Check loader

  • Run a Dependency-Check scan (cf. Maven plugin)
    • The CSV report is required, the JSON report is optional (cf. format property in the plugin configuration)
  • Move dependency-check-report.* files in the working directory or configure ReportMix (dependency_check.report_file) to look for the file somewhere else
  • :heavy_check_mark: Run ReportMix

Dependency-Check loader

npm audit loader

  • Run a security audit using the npm-audit CLI command
    • Get the detailed audit report in JSON format, e.g.: npm audit --json > npm-audit.json
  • Move the npm-audit.json file in the working directory or configure ReportMix (npm_audit.report_file) to look for the file somewhere else
  • :heavy_check_mark: Run ReportMix

npm audit loader

SonarQube loader

  • Run a SonarQube analysis (cf. Analyzing Source Code)
  • Configure the instance URL (sonarqube.host_url), the project key (sonarqube.project_key), and authentication settings
  • :heavy_check_mark: Run ReportMix

SonarQube loader

ReportMix loader

  • Run ReportMix (e.g. in another project) to generate a report (csv format required) or create it manually using the ReportMix output format (e.g. to include vulnerabilities from a manual security audit). A spreadsheet can be used to easily create or edit a CSV report.
  • Configure the path to the CSV report file (reportmix.report_file)
  • :heavy_check_mark: Run ReportMix

ReportMix loader


ReportMix is licensed under the GNU General Public License.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for reportmix, version 0.6.0
Filename, size File type Python version Upload date Hashes
Filename, size reportmix-0.6.0-py3-none-any.whl (39.5 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size reportmix-0.6.0.tar.gz (35.3 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page