Generate HTML security reports from Trivy, pip-audit, Safety, Bandit, and Gitleaks JSON

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for shankonduru from gravatar.com shankonduru

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Ravi Konduru
  • Tags cli , mcp , pip-audit , report , safety , security , trivy
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp
Classifiers
Report project as malware

Project description

sec-report-kit

Generate HTML vulnerability reports from multiple security tools (SAST, SCA, IaC, and secrets) with a CLI and MCP server.

Release history: see CHANGELOG.md.

Supported source types:

  • trivy
  • pip-audit
  • safety
  • bandit
  • gitleaks
  • semgrep
  • codeql (SARIF)
  • osv-scanner
  • checkov
  • tfsec
  • trufflehog (JSON or NDJSON)

Install

pip install -e .

With MCP support:

pip install -e .[mcp]

CLI Usage

Both commands are available:

  • srk
  • sec-report-kit

Render Trivy JSON:

srk render trivy --input security_reports/trivy-image-report-v1.0.21.json --output security_reports/report-trivy.html --target shankonduru/cpkc-poc:v1.0.21

Render pip-audit JSON:

srk render pip-audit --input pip-audit.json --output security_reports/report-pip-audit.html --target requirements.txt

Render Safety JSON:

srk render safety --input security_reports/safety.json --output security_reports/report-safety.html --target requirements.txt

Helper Scripts (bat/sh)

Cross-platform helper scripts are available in scripts/.

When render helpers are called without an explicit <target_name>, they automatically use the repository root folder name as the report target label.

Install this package and Python-installable scanners:

# Linux/macOS
bash scripts/install_tools.sh

# Windows
scripts\install_tools.bat

After cloning on a new machine, run the install script above to recreate the local .tools/ directory and install required external CLI binaries (codeql, tfsec, gitleaks, trufflehog, osv-scanner) alongside Python dependencies. The .tools/ folder is intentionally not committed to git.

Run all unit tests locally with coverage:

# Linux/macOS (optional arg: <coverage_dir>)
bash scripts/run_unit_tests_with_coverage.sh
bash scripts/run_unit_tests_with_coverage.sh htmlcov

# Windows (optional arg: <coverage_dir>)
scripts\run_unit_tests_with_coverage.bat
scripts\run_unit_tests_with_coverage.bat htmlcov

Run pip-audit and write JSON output:

# Linux/macOS (optional args: <report_dir> <requirements_file>)
bash scripts/run_pip_audit.sh
bash scripts/run_pip_audit.sh reports requirements.txt

# Windows (optional args: <report_dir> <requirements_file>)
scripts\run_pip_audit.bat
scripts\run_pip_audit.bat reports requirements.txt

Run Safety CLI and write JSON output:

# Linux/macOS (optional args: <report_dir> <requirements_file>)
bash scripts/run_safety.sh
bash scripts/run_safety.sh security_reports requirements.txt

# Windows (optional args: <report_dir> <requirements_file>)
scripts\run_safety.bat
scripts\run_safety.bat security_reports requirements.txt

Offline / local DB support: Safety CLI requires network access by default. To enable offline scanning, download the vulnerability DB while online and cache it locally:

# Linux/macOS — download once, reuse offline
bash scripts/download_safety_db.sh

# Windows
scripts\download_safety_db.bat

# Corporate/proxy environments with self-signed certificates
bash scripts/download_safety_db.sh .tools/safety-db --no-verify-ssl
scripts\download_safety_db.bat .tools\safety-db --no-verify-ssl

The DB is saved to .tools/safety-db/. Both run_safety.sh and run_safety.bat automatically detect and use it on subsequent runs, skipping the network call. Re-run the download script periodically to refresh the DB with the latest vulnerabilities.

Run Bandit and write JSON output:

# Linux/macOS (optional args: <report_dir> <target_path>)
bash scripts/run_bandit.sh
bash scripts/run_bandit.sh security_reports src

# Windows (optional args: <report_dir> <target_path>)
scripts\run_bandit.bat
scripts\run_bandit.bat security_reports src

Convert pip-audit JSON report to HTML:

# Linux/macOS (optional args: <report_dir> <target_name>)
bash scripts/render_pip_audit_html.sh
bash scripts/render_pip_audit_html.sh reports requirements.txt

# Windows (optional args: <report_dir> <target_name>)
scripts\render_pip_audit_html.bat
scripts\render_pip_audit_html.bat reports requirements.txt

Convert Safety JSON report to HTML:

# Linux/macOS (optional args: <report_dir> <target_name>)
bash scripts/render_safety_html.sh
bash scripts/render_safety_html.sh security_reports requirements.txt

# Windows (optional args: <report_dir> <target_name>)
scripts\render_safety_html.bat
scripts\render_safety_html.bat security_reports requirements.txt

These render helpers generate the HTML file and open it automatically in your default browser.

Convert sample Trivy JSON report to HTML:

# Linux/macOS (optional args: <report_dir> <target_name>)
bash scripts/render_trivy_html.sh
bash scripts/render_trivy_html.sh security_reports my-image

# Windows (optional args: <report_dir> <target_name>)
scripts\render_trivy_html.bat
scripts\render_trivy_html.bat security_reports my-image

Convert sample Bandit JSON report to HTML:

# Linux/macOS (optional args: <report_dir> <target_name>)
bash scripts/render_bandit_html.sh
bash scripts/render_bandit_html.sh security_reports my-python-project

# Windows (optional args: <report_dir> <target_name>)
scripts\render_bandit_html.bat
scripts\render_bandit_html.bat security_reports my-python-project

Convert sample Gitleaks JSON report to HTML:

# Linux/macOS (optional args: <report_dir> <target_name>)
bash scripts/render_gitleaks_html.sh
bash scripts/render_gitleaks_html.sh security_reports my-repository

# Windows (optional args: <report_dir> <target_name>)
scripts\render_gitleaks_html.bat
scripts\render_gitleaks_html.bat security_reports my-repository

By default, JSON is written to reports/pip-audit.json and HTML to reports/pip-audit-report.html.

Additional Tool Workflows

Script Coverage Matrix

The table below reflects what is currently implemented in scripts/:

Tool Run Script (JSON/SARIF) Render Script (HTML) Default JSON/SARIF Output
Trivy run_trivy.(sh/bat) render_trivy_html.(sh/bat) security_reports/trivy-image-report-v1.0.21.json
pip-audit run_pip_audit.(sh/bat) render_pip_audit_html.(sh/bat) reports/pip-audit.json
Safety run_safety.(sh/bat) render_safety_html.(sh/bat) security_reports/safety.json
Bandit run_bandit.(sh/bat) render_bandit_html.(sh/bat) security_reports/bandit.json
Gitleaks run_gitleaks.(sh/bat) render_gitleaks_html.(sh/bat) security_reports/gitleaks.json
Semgrep run_semgrep.(sh/bat) render_semgrep_html.(sh/bat) security_reports/semgrep.json
CodeQL run_codeql.(sh/bat) render_codeql_html.(sh/bat) security_reports/codeql.sarif.json
OSV-Scanner run_osv_scanner.(sh/bat) render_osv_scanner_html.(sh/bat) security_reports/osv-scanner.json
Checkov run_checkov.(sh/bat) render_checkov_html.(sh/bat) security_reports/checkov.json
tfsec run_tfsec.(sh/bat) render_tfsec_html.(sh/bat) security_reports/tfsec.json
TruffleHog run_trufflehog.(sh/bat) render_trufflehog_html.(sh/bat) security_reports/trufflehog.json

Bandit End-To-End Example

Generate JSON first, then render HTML:

# Linux/macOS
bash scripts/run_bandit.sh security_reports src
bash scripts/render_bandit_html.sh security_reports my-python-project

# Windows
scripts\run_bandit.bat security_reports src
scripts\render_bandit_html.bat security_reports my-python-project

Other Run Script Usage

# Linux/macOS
bash scripts/run_trivy.sh security_reports alpine:latest
bash scripts/run_safety.sh security_reports requirements.txt
bash scripts/run_gitleaks.sh security_reports .
bash scripts/run_semgrep.sh security_reports .
bash scripts/run_codeql.sh security_reports codeql-db codeql/python-queries
bash scripts/run_osv_scanner.sh security_reports .
bash scripts/run_checkov.sh security_reports .
bash scripts/run_tfsec.sh security_reports .
bash scripts/run_trufflehog.sh security_reports .

# Windows
scripts\run_trivy.bat security_reports alpine:latest
scripts\run_safety.bat security_reports requirements.txt
scripts\run_gitleaks.bat security_reports .
scripts\run_semgrep.bat security_reports .
scripts\run_codeql.bat security_reports codeql-db codeql/python-queries
scripts\run_osv_scanner.bat security_reports .
scripts\run_checkov.bat security_reports .
scripts\run_tfsec.bat security_reports .
scripts\run_trufflehog.bat security_reports .

Trivy and Gitleaks End-To-End

Generate JSON and then render HTML using wrapper scripts:

# Linux/macOS
bash scripts/run_trivy.sh security_reports your-image:tag
bash scripts/render_trivy_html.sh security_reports your-image:tag

bash scripts/run_gitleaks.sh security_reports .
bash scripts/render_gitleaks_html.sh security_reports my-repository

# Windows
scripts\run_trivy.bat security_reports your-image:tag
scripts\render_trivy_html.bat security_reports your-image:tag

scripts\run_gitleaks.bat security_reports .
scripts\render_gitleaks_html.bat security_reports my-repository

Manual CLI render examples:

srk render semgrep --input security_reports/semgrep.json --output security_reports/semgrep-report.html --target my-repo
srk render codeql --input security_reports/codeql.sarif.json --output security_reports/codeql-report.html --target my-repo
srk render osv-scanner --input security_reports/osv-scanner.json --output security_reports/osv-scanner-report.html --target requirements.txt
srk render safety --input security_reports/safety.json --output security_reports/safety-report.html --target requirements.txt
srk render checkov --input security_reports/checkov.json --output security_reports/checkov-report.html --target terraform
srk render tfsec --input security_reports/tfsec.json --output security_reports/tfsec-report.html --target terraform
srk render trufflehog --input security_reports/trufflehog.json --output security_reports/trufflehog-report.html --target my-repo
srk render bandit --input security_reports/bandit.json --output security_reports/bandit-report.html --target my-python-project
srk render gitleaks --input security_reports/gitleaks.json --output security_reports/gitleaks-report.html --target my-repository
srk render trivy --input security_reports/trivy-image-report-v1.0.21.json --output security_reports/trivy-report.html --target my-image

MCP Server

Run MCP server over stdio:

srk mcp serve --transport stdio

Available MCP Tools

Tool Description
summarize_json Summarize vulnerabilities by severity from a JSON file
render_report_from_json Parse JSON and render an HTML report to disk
validate_input Validate that a JSON file is parseable and return finding count

All tools accept source_type ("trivy", "pip-audit", "safety", "bandit", "gitleaks", "semgrep", "codeql", "osv-scanner", "checkov", "tfsec", "trufflehog", or "auto") and input_path (absolute path to JSON file).

VS Code (GitHub Copilot Agent / MCP extension)

Add to your VS Code settings.json (or .vscode/mcp.json in the workspace):

{
  "mcp": {
    "servers": {
      "sec-report-kit": {
        "type": "stdio",
        "command": "srk",
        "args": ["mcp", "serve", "--transport", "stdio"]
      }
    }
  }
}

Note: If srk is not on the system PATH, replace "command" with the full path to the executable, e.g. "C:/Users/you/.venv/Scripts/srk.exe".

Claude Desktop

Edit %APPDATA%\Claude\claude_desktop_config.json (Windows) or ~/Library/Application Support/Claude/claude_desktop_config.json (macOS):

{
  "mcpServers": {
    "sec-report-kit": {
      "command": "srk",
      "args": ["mcp", "serve", "--transport", "stdio"]
    }
  }
}

Cursor

Open Cursor Settings → MCP and add a new server entry:

{
  "sec-report-kit": {
    "command": "srk",
    "args": ["mcp", "serve", "--transport", "stdio"]
  }
}

Or add it to .cursor/mcp.json in your project root:

{
  "mcpServers": {
    "sec-report-kit": {
      "command": "srk",
      "args": ["mcp", "serve", "--transport", "stdio"]
    }
  }
}

Windsurf (Codeium)

Edit ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "sec-report-kit": {
      "command": "srk",
      "args": ["mcp", "serve", "--transport", "stdio"]
    }
  }
}

Using a virtual environment

If the package is installed in a .venv, use the full path to avoid PATH issues:

Windows:

{
  "command": "C:/MyProjects/sec-report-kit/.venv/Scripts/srk.exe",
  "args": ["mcp", "serve", "--transport", "stdio"]
}

macOS / Linux:

{
  "command": "/home/user/sec-report-kit/.venv/bin/srk",
  "args": ["mcp", "serve", "--transport", "stdio"]
}

Package Publish

Build:

python -m build

Upload to TestPyPI:

python -m twine upload --repository testpypi dist/*

Upload to PyPI:

python -m twine upload dist/*

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for shankonduru from gravatar.com shankonduru

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Ravi Konduru
  • Tags cli , mcp , pip-audit , report , safety , security , trivy
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp
Classifiers

Release history Release notifications | RSS feed

0.3.5

0.3.3

0.3.2

0.3.1

0.3.0

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

This version

0.2.3

0.2.2

0.2.1

0.2.0

0.1.9

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sec_report_kit-0.2.3.tar.gz (37.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sec_report_kit-0.2.3-py3-none-any.whl (23.3 kB view details)

Uploaded Python 3

File details

Details for the file sec_report_kit-0.2.3.tar.gz.

File metadata

  • Download URL: sec_report_kit-0.2.3.tar.gz
  • Upload date:
  • Size: 37.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sec_report_kit-0.2.3.tar.gz
Algorithm Hash digest
SHA256 199531520d539cddb9bad7a5a02c1d762433c976f274f61c19cc4889346ba7ca
MD5 51b7e31357747b29820a6807063420d2
BLAKE2b-256 41f079bed18019dae593cecfae6fbdeb451d8f4e0bfcbb6a5ec55c04fab3b09b

See more details on using hashes here.

Provenance

The following attestation bundles were made for sec_report_kit-0.2.3.tar.gz:

Publisher: publish-pypi.yml on ShanKonduru/sec-report-kit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sec_report_kit-0.2.3-py3-none-any.whl.

File metadata

  • Download URL: sec_report_kit-0.2.3-py3-none-any.whl
  • Upload date:
  • Size: 23.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sec_report_kit-0.2.3-py3-none-any.whl
Algorithm Hash digest
SHA256 6e8dfc38948f62ff66c99d0bc206206ea9981e736c879efa66f56e50d20a1494
MD5 a67fc49caf519057d0b7dcbd6caac1ee
BLAKE2b-256 39e4e881b2c41a72680a51a7ec7579d8a78b9d93bb656f385d1a27c3bf9cbbd7

See more details on using hashes here.

Provenance

The following attestation bundles were made for sec_report_kit-0.2.3-py3-none-any.whl:

Publisher: publish-pypi.yml on ShanKonduru/sec-report-kit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page