EHArviv/security-finding-report-generator

# 安全发现报告生成器 一款 Python 安全自动化工具，用于生成 Markdown、JSON、TXT 和 HTML 格式的专业安全发现报告。 本项目专为安全工程师、SOC、DevSecOps、Bug Bounty、内部安全以及合规性报告工作流而设计。 ## 功能 - 生成安全发现报告 - 支持 Markdown 报告 - 支持 JSON 报告 - 支持 TXT 摘要 - 支持 HTML 报告 - 使用不同的报告模板 - 计算风险评分 - 计算最终风险等级 - 添加技术证据 - 添加业务影响 - 添加修复指南 - 按发现类型提供默认建议 - 通过命令行运行 - 包含单元测试 - 包含 GitHub Actions 工作流 ## 支持的模板 该工具支持以下模板： ``` bug_bounty internal_security executive Supported Finding Types missing_security_header weak_ssh_configuration public_admin_panel outdated_software excessive_permissions insecure_configuration generic Project Structure security-finding-report-generator/ ├── .github/ │ └── workflows/ │ └── python-check.yml ├── docs/ │ ├── project-notes.md │ └── report-fields.md ├── examples/ │ └── example_command.txt ├── reports/ │ └── .gitkeep ├── src/ │ └── finding_report_generator.py ├── templates/ ├── tests/ │ └── test_risk_score.py ├── README.md ├── requirements.txt └── .gitignore Usage Generate all report formats: python src/finding_report_generator.py \ --title "Missing Content-Security-Policy Header" \ --finding-type missing_security_header \ --asset "https://example.com" \ --severity Medium \ --likelihood Medium \ --impact Medium \ --description "The application does not return a Content-Security-Policy header in the HTTP response." \ --evidence "Content-Security-Policy header was not found in the HTTP response." \ --business-impact "Missing CSP may increase the impact of client-side injection vulnerabilities." \ --template bug_bounty \ --format all Generate only HTML: python src/finding_report_generator.py \ --title "Weak SSH Configuration" \ --finding-type weak_ssh_configuration \ --asset "demo-linux-server" \ --severity High \ --likelihood Medium \ --impact High \ --description "The SSH service is configured with weak authentication settings." \ --evidence "PasswordAuthentication is enabled." \ --business-impact "Weak SSH settings may increase the risk of unauthorized access." \ --template internal_security \ --format html Generated Reports The tool generates files locally inside the reports/ folder: finding_report.md finding_report.json finding_summary.txt finding_report.html Generated report files are ignored by Git and should not be committed. Risk Score Logic The tool calculates a risk score using: severity + likelihood + impact Point values: Rating Points Critical 5 High 4 Medium 3 Low 2 Info 1 Risk level: Score Risk Level 13+ Critical 11-12 High 8-10 Medium 5-7 Low 1-4 Info Output Formats Markdown Used for GitHub, documentation, and technical reports. JSON Used for automation, dashboards, APIs, and structured reporting. TXT Used for quick summaries and plain-text communication. HTML Used for readable reports that can be opened in a browser or shared internally. GitHub Actions This project includes a GitHub Actions workflow that runs automated checks on every push and pull request. The workflow: Checks Python syntax Runs unit tests Runs the report generator Verifies that reports can be generated successfully Workflow file: .github/workflows/python-check.yml Requirements No external dependencies are required. This project uses only Python standard library modules. Run Tests python -m unittest discover -s tests Skills Demonstrated Python automation Security reporting Risk scoring Markdown report generation JSON report generation TXT report generation HTML report generation CLI tool development Unit testing GitHub Actions Security Engineer workflow Bug Bounty reporting workflow DevSecOps-style automation Example Resume Description Built a Python security reporting automation tool that generates professional security finding reports in Markdown, JSON, TXT, and HTML formats, calculates risk scores, supports multiple templates, includes unit tests, and uses GitHub Actions for automated validation. ```

标签：DevSecOps, Python, 上游代理, 文档结构分析, 无后门, 网络调试, 自动化, 逆向工具