Generate HTML security reports from Trivy and pip-audit JSON
Project description
sec-report-kit
Generate HTML vulnerability reports from Trivy and pip-audit JSON with a CLI and MCP server.
Install
pip install -e .
With MCP support:
pip install -e .[mcp]
CLI Usage
Both commands are available:
srksec-report-kit
Render Trivy JSON:
srk render trivy --input security_reports/trivy-image-report-v1.0.21.json --output security_reports/report-trivy.html --target shankonduru/cpkc-poc:v1.0.21
Render pip-audit JSON:
srk render pip-audit --input pip-audit.json --output security_reports/report-pip-audit.html --target requirements.txt
MCP Server
Run MCP server over stdio:
srk mcp serve --transport stdio
Available MCP Tools
| Tool | Description |
|---|---|
summarize_json |
Summarize vulnerabilities by severity from a JSON file |
render_report_from_json |
Parse JSON and render an HTML report to disk |
validate_input |
Validate that a JSON file is parseable and return finding count |
All tools accept source_type ("trivy" or "pip-audit") and input_path (absolute path to JSON file).
VS Code (GitHub Copilot Agent / MCP extension)
Add to your VS Code settings.json (or .vscode/mcp.json in the workspace):
{
"mcp": {
"servers": {
"sec-report-kit": {
"type": "stdio",
"command": "srk",
"args": ["mcp", "serve", "--transport", "stdio"]
}
}
}
}
Note: If
srkis not on the system PATH, replace"command"with the full path to the executable, e.g."C:/Users/you/.venv/Scripts/srk.exe".
Claude Desktop
Edit %APPDATA%\Claude\claude_desktop_config.json (Windows) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):
{
"mcpServers": {
"sec-report-kit": {
"command": "srk",
"args": ["mcp", "serve", "--transport", "stdio"]
}
}
}
Cursor
Open Cursor Settings → MCP and add a new server entry:
{
"sec-report-kit": {
"command": "srk",
"args": ["mcp", "serve", "--transport", "stdio"]
}
}
Or add it to .cursor/mcp.json in your project root:
{
"mcpServers": {
"sec-report-kit": {
"command": "srk",
"args": ["mcp", "serve", "--transport", "stdio"]
}
}
}
Windsurf (Codeium)
Edit ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"sec-report-kit": {
"command": "srk",
"args": ["mcp", "serve", "--transport", "stdio"]
}
}
}
Using a virtual environment
If the package is installed in a .venv, use the full path to avoid PATH issues:
Windows:
{
"command": "C:/MyProjects/sec-report-kit/.venv/Scripts/srk.exe",
"args": ["mcp", "serve", "--transport", "stdio"]
}
macOS / Linux:
{
"command": "/home/user/sec-report-kit/.venv/bin/srk",
"args": ["mcp", "serve", "--transport", "stdio"]
}
Package Publish
Build:
python -m build
Upload to TestPyPI:
python -m twine upload --repository testpypi dist/*
Upload to PyPI:
python -m twine upload dist/*
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sec_report_kit-0.1.4.tar.gz.
File metadata
- Download URL: sec_report_kit-0.1.4.tar.gz
- Upload date:
- Size: 12.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6eb043bff937f272afbc818d096453f225462d20e5ff68816c33dbe072941616
|
|
| MD5 |
9bf85bb0023ca3dbe328dafa1e8e8402
|
|
| BLAKE2b-256 |
86e7ff9611d54dffd60e2676da2beb6388d5c45ccf0c5f5da46cbe91e5425601
|
Provenance
The following attestation bundles were made for sec_report_kit-0.1.4.tar.gz:
Publisher:
publish-pypi.yml on ShanKonduru/sec-report-kit
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sec_report_kit-0.1.4.tar.gz -
Subject digest:
6eb043bff937f272afbc818d096453f225462d20e5ff68816c33dbe072941616 - Sigstore transparency entry: 1420268705
- Sigstore integration time:
-
Permalink:
ShanKonduru/sec-report-kit@94c61131d77f5f1f531cbe07747fd6ea4017583d -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/ShanKonduru
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@94c61131d77f5f1f531cbe07747fd6ea4017583d -
Trigger Event:
push
-
Statement type:
File details
Details for the file sec_report_kit-0.1.4-py3-none-any.whl.
File metadata
- Download URL: sec_report_kit-0.1.4-py3-none-any.whl
- Upload date:
- Size: 12.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
606b68ffcd49bb896f8be36116069f00d6bd53651d117849452d7c0957dc9f36
|
|
| MD5 |
c42a56f769bc461f139bebae5dc3c402
|
|
| BLAKE2b-256 |
d4faeb49445c7becebc7d49aad24b5249eb1a2a585d0b17a39a281aa3f8f4d80
|
Provenance
The following attestation bundles were made for sec_report_kit-0.1.4-py3-none-any.whl:
Publisher:
publish-pypi.yml on ShanKonduru/sec-report-kit
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sec_report_kit-0.1.4-py3-none-any.whl -
Subject digest:
606b68ffcd49bb896f8be36116069f00d6bd53651d117849452d7c0957dc9f36 - Sigstore transparency entry: 1420268933
- Sigstore integration time:
-
Permalink:
ShanKonduru/sec-report-kit@94c61131d77f5f1f531cbe07747fd6ea4017583d -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/ShanKonduru
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@94c61131d77f5f1f531cbe07747fd6ea4017583d -
Trigger Event:
push
-
Statement type:
