Skip to main content

Overview

The Posture Intelligence Report is a per-repository PDF generated from a completed scan. It captures everything Krait knows about that repository at the time of the scan: the risk index, every finding, the full API surface, vulnerable dependencies, autofixable packages, and a CWE threat map. It is designed to be handed off. Auditors get structured technical evidence. Stakeholders get a risk summary. Engineering teams get an actionable remediation list.

How to Generate a Report

1

Open the repository

Navigate to the repository you want to generate a report for.
2

Click Generate Report

Select Generate Report from the repository page.
3

Select sections

Choose which sections to include in the report. You can include any combination of Executive Summary, Findings Catalog, API Inventory, Autofixables, Dependencies, and CWE Concentration.
Section selection dropdown for Posture Intelligence Report
4

Generate and download

Click Generate. Krait will compile the selected sections into a PDF, which you can download and share.

What the Report Contains

The report is divided into six sections.

01 Executive Summary

A high-level view of the repository’s current risk posture.
  • Active issues - total open findings and what percentage of the catalog they represent
  • Resolved - findings that have been closed
  • False positives - findings triaged as non-issues
  • Risk Index - a weighted score from 0 to 100 calculated as follows:
Risk Index = (C×10 + H×7 + M×4 + L×2) ÷ (total × 10) × 100
Only open findings contribute to the score. A higher score means more concentrated risk. The summary also includes a severity breakdown table (Critical, High, Medium, Low), API Deep Scan vulnerability type distribution, finding lifecycle status, and a breakdown by finding type.

02 Findings Catalog

Every finding detected in the repository, grouped by type and sorted by severity. Each entry includes:
  • Severity level
  • Finding name and description
  • CVE identifier
  • Number of affected locations in the codebase
  • CVSS score
  • Whether an Autofix is available
Only Krait-prioritized findings are listed in the table. The stat counters above the table reflect all findings in the group, including non-prioritized ones.

03 API Inventory

A full map of the HTTP surface exposed by the repository, derived directly from source code.
  • Total routes discovered
  • Affected routes carrying at least one finding
  • Clean routes with no attached findings
  • Route findings total count
  • API Deep Scan vulnerability types - breakdown across Broken Access Control, SSRF Injection, SQL Injection, RCE, and XSS
  • Routes by HTTP method - distribution across GET, POST, PUT, DELETE, etc.
  • Route inventory - individual affected routes sorted by finding count

04 Autofixables

All dependency upgrades that Krait can apply automatically through an Autofix PR. Each package entry shows:
  • Current installed version
  • The version to upgrade to
  • Number of findings that would be closed by the upgrade
This section gives engineering teams an immediate, prioritized action list for dependency remediation.

05 Dependencies

A health overview of the repository’s third-party supply chain.
  • Total active dependencies and their composition (production vs dev/build)
  • Number of vulnerable packages and autofixable candidates
  • Scan activity history including total scans run, success rate, and last completed scan date
  • Top vulnerable packages ranked by finding count, with autofix availability indicated

06 CWE Concentration

A threat intelligence view mapping findings to Common Weakness Enumeration categories. Each CWE entry shows its severity level, an exposure bar representing relative impact, and the finding count it drives. This section helps teams understand the underlying weakness patterns behind their vulnerability backlog, making it useful for root cause analysis and longer-term architectural improvements.

Report Metadata

Each report cover includes repository context captured at the time of the scan:
FieldDescription
TypeRepository or container
BranchThe branch that was scanned
ConnectionGitHub or GitLab
VisibilityPublic or Private
FrameworkDetected application framework
LanguagesDetected programming languages
Risk IndexWeighted posture score at time of scan
CoverageVulnerability categories actively monitored