docs/api/report.md

# API Reference — `report/`

## `report/__init__.py` — public exports

```python

from report import generate_html_report, generate_sarif, REMEDIATION

```

---

## `report/html.py`

### `generate_html_report(findings, scan_meta)`



```python

def generate_html_report(findings: List[dict], scan_meta: dict) -> str
```



Build a self-contained, print-friendly HTML report string.



**Parameters:**



| Parameter | Type | Description |

|-----------|------|-------------|

| `findings` | `List[dict]` | Normalized finding dicts (from `make_finding`) |

| `scan_meta` | `dict` | Metadata injected into the report |



**`scan_meta` keys:**



| Key | Default | Description |

|-----|---------|-------------|

| `"title"` | `"Security Scan Report"` | `<title>` and `<h1>` |

| `"footer"` | `"HF Security Scanner"` | Footer text |

| `"repo"` | `""` | Repository URL shown in header |

| `"scanned_at"` | auto | ISO timestamp |



**Returns:** Complete `<!DOCTYPE html>...` string.



**Features:**

- Summary cards: severity counts (ERROR / WARNING / INFO), confidence distribution, category split (security / performance).

- Top OWASP categories section (top 8 by frequency).

- Per-finding cards with: severity badge, confidence badge, category badge, tool/rule badge, OWASP tag(s), message, file:line, and remediation hint.

- All user content is HTML-escaped (XSS-safe).

- Severity aliases: `HIGH → ERROR`, `MEDIUM → WARNING`, `LOW → INFO`.



**Example:**



```python

from report import generate_html_report



html = generate_html_report(findings, {"title": "My Project Scan", "repo": "github.com/org/repo"})

Path("report.html").write_text(html, encoding="utf-8")

```

---

### Internal functions

#### `_render_finding(f)`

```python

def _render_finding(f: dict) -> str

```

Render a single finding dict as an HTML `<div class="finding ...">` block.

#### `_aggregate(findings)`



```python

def _aggregate(findings: List[dict]) -> dict
```



Compute summary statistics. Returns:



```python

{

    "severity": {"ERROR": int, "WARNING": int, "INFO": int},

    "confidence": {"confirmed": int, "likely": int, "possible": int},

    "category": {"security": int, "performance": int},

    "owasp": {"A01:2021-...": int, ...},

}

```

---

## `report/sarif.py`

### `generate_sarif(findings, scan_meta)`

```python

def generate_sarif(findings: List[dict], scan_meta: dict) -> dict

```

Build a SARIF 2.1.0 document as a Python dict (serialize with `json.dumps`).

**Parameters:**

| Parameter | Type | Description |
|-----------|------|-------------|
| `findings` | `List[dict]` | Normalized finding dicts |
| `scan_meta` | `dict` | Metadata (same keys as HTML report) |

**Returns:** `dict` conforming to `https://json.schemastore.org/sarif-2.1.0.json`.

**GitHub Advanced Security compatibility:**
- Upload the serialized SARIF file using `github/codeql-action/upload-sarif`.
- `properties.security-severity` is a float string (`"9.0"`) enabling GitHub's severity triage.
- `partialFingerprints.primaryLocationLineHash` enables GitHub to deduplicate findings across runs.
- File paths are normalized to forward-slash, drive letters stripped (`C:\path` → `path`).

**Example:**

```python

import json

from report import generate_sarif



sarif = generate_sarif(findings, {"repo": "https://github.com/org/repo"})

Path("results.sarif").write_text(json.dumps(sarif, indent=2), encoding="utf-8")

```

### Severity → SARIF level mapping

| Severity | Confidence | SARIF `level` | `security-severity` |
|----------|-----------|--------------|---------------------|
| ERROR | confirmed | `error` | 9.0 |
| ERROR | likely | `error` | 7.5 |
| ERROR | possible | `warning` | 5.5 |
| HIGH | confirmed | `error` | 8.5 |
| WARNING | confirmed | `warning` | 4.5 |
| WARNING | likely | `warning` | 4.0 |
| WARNING | possible | `warning` | 3.0 |
| INFO | confirmed | `note` | 2.5 |
| INFO | likely | `note` | 2.0 |
| INFO | possible | `note` | 1.5 |

### Internal functions

#### `_fingerprint(finding)`



```python

def _fingerprint(finding: dict) -> str
```



SHA-256 fingerprint of `tool:rule:file:line:message` (first 16 hex chars). Used for `partialFingerprints.primaryLocationLineHash`.



#### `_build_rules_catalog(findings)`



```python

def _build_rules_catalog(findings: List[dict]) -> List[dict]

```

Build the `tool.driver.rules[]` catalog — one entry per unique `rule` ID, with `shortDescription`, `helpUri` (OWASP link), and `security-severity`.

#### `_result_for_finding(finding)`



```python

def _result_for_finding(finding: dict) -> dict
```



Convert one finding dict to a SARIF `result` object. Handles:

- Windows path normalization (strips drive letters).

- Invalid / non-positive line numbers (normalized to `1`).



#### `_help_uri(owasp)`



```python

def _help_uri(owasp: Any) -> str

```

Return the first matching OWASP help URL for the given OWASP tag list. Falls back to `_TOOL_URI` if no match.

---

## `report/remediation.py`

### `REMEDIATION`

```python

REMEDIATION: dict[str, str]

```

A mapping from rule ID / finding type to a short plain-English fix hint. Used by `make_finding()` in `core/models.py` — if `remediation=None` is passed, the registry is consulted.

**To add a hint:**

```python

# report/remediation.py

REMEDIATION = {

    "B602": "Avoid shell=True; use subprocess.run() with a list.",

    "MY-RULE": "Replace foo() with safe_foo().",

    ...

}

```

---

## `report/styles.py`

### `REPORT_CSS`



Embedded CSS string for the HTML report. Imported by `report/html.py`.



### `FP_GUIDE_HTML`



HTML fragment with a false-positive triage guide appended to every report.