Security tools (SAST/SCA) can be great at finding bugs but terrible at talking to humans.
Scenario: You run a scan.
Result: A 4MB JSON file or 500 lines of unreadable terminal logs.
Action: You ignore it until CI breaks.
The Solution (Kekkai): I built a terminal-based "Inbox" for security findings. It unifies Trivy (CVEs), Semgrep (Code), and Gitleaks (Secrets) into a single TUI.
Key Features in v2.2:
- Unified TUI: Navigate findings with j/k.
- Code Context: Press Enter to see the actual vulnerable code snippet + syntax highlighting right in the terminal. No context switching.
- Local AI: Pipe the finding to Ollama (running locally) to ask "Is this a false positive?"
I didn't want to configure another CI pipeline manually. So I built a self-replicating init command.
Run this in your repo: kekkai init --ci
It detects your git root and auto-generates a GitHub Actions workflow that blocks the build on "High" severity findings.
Try it locally: pipx install kekkai-cli -> kekkai scan -> kekkai triage
Top comments (0)