> ## Documentation Index
> Fetch the complete documentation index at: https://docs.krait.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Posture Intelligence Report

> A downloadable PDF report that gives a complete security picture of a single repository. Share it with auditors, leadership, or engineering teams without requiring them to log into Krait.

## Overview

The Posture Intelligence Report is a per-repository PDF generated from a completed scan. It captures everything Krait knows about that repository at the time of the scan: the risk index, every finding, the full API surface, vulnerable dependencies, autofixable packages, and a CWE threat map.

It is designed to be handed off. Auditors get structured technical evidence. Stakeholders get a risk summary. Engineering teams get an actionable remediation list.

## How to Generate a Report

<Steps>
  <Step title="Open the repository">
    Navigate to the repository you want to generate a report for.
  </Step>

  <Step title="Click Generate Report">
    Select **Generate Report** from the repository page.
  </Step>

  <Step title="Select sections">
    Choose which sections to include in the report. You can include any combination of Executive Summary, Findings Catalog, API Inventory, Autofixables, Dependencies, and CWE Concentration.

    <Frame>
      <img src="https://mintcdn.com/krait/9ioPUQVgYHbGs9dJ/reports/images/asset-report-create.png?fit=max&auto=format&n=9ioPUQVgYHbGs9dJ&q=85&s=6057f3c054ab7cc9d4ab008a54a45bb8" alt="Section selection dropdown for Posture Intelligence Report" className="mx-auto" style={{ width:"100%" }} width="676" height="626" data-path="reports/images/asset-report-create.png" />
    </Frame>
  </Step>

  <Step title="Generate and download">
    Click **Generate**. Krait will compile the selected sections into a PDF, which you can download and share.
  </Step>
</Steps>

## What the Report Contains

The report is divided into six sections.

### 01 Executive Summary

A high-level view of the repository's current risk posture.

* **Active issues** - total open findings and what percentage of the catalog they represent
* **Resolved** - findings that have been closed
* **False positives** - findings triaged as non-issues
* **Risk Index** - a weighted score from 0 to 100 calculated as follows:

```
Risk Index = (C×10 + H×7 + M×4 + L×2) ÷ (total × 10) × 100
```

Only open findings contribute to the score. A higher score means more concentrated risk.

The summary also includes a severity breakdown table (Critical, High, Medium, Low), API Deep Scan vulnerability type distribution, finding lifecycle status, and a breakdown by finding type.

### 02 Findings Catalog

Every finding detected in the repository, grouped by type and sorted by severity. Each entry includes:

* Severity level
* Finding name and description
* CVE identifier
* Number of affected locations in the codebase
* CVSS score
* Whether an Autofix is available

Only Krait-prioritized findings are listed in the table. The stat counters above the table reflect all findings in the group, including non-prioritized ones.

### 03 API Inventory

A full map of the HTTP surface exposed by the repository, derived directly from source code.

* **Total routes** discovered
* **Affected routes** carrying at least one finding
* **Clean routes** with no attached findings
* **Route findings** total count
* **API Deep Scan vulnerability types** - breakdown across Broken Access Control, SSRF Injection, SQL Injection, RCE, and XSS
* **Routes by HTTP method** - distribution across GET, POST, PUT, DELETE, etc.
* **Route inventory** - individual affected routes sorted by finding count

### 04 Autofixables

All dependency upgrades that Krait can apply automatically through an Autofix PR.

Each package entry shows:

* Current installed version
* The version to upgrade to
* Number of findings that would be closed by the upgrade

This section gives engineering teams an immediate, prioritized action list for dependency remediation.

### 05 Dependencies

A health overview of the repository's third-party supply chain.

* Total active dependencies and their composition (production vs dev/build)
* Number of vulnerable packages and autofixable candidates
* Scan activity history including total scans run, success rate, and last completed scan date
* Top vulnerable packages ranked by finding count, with autofix availability indicated

### 06 CWE Concentration

A threat intelligence view mapping findings to Common Weakness Enumeration categories. Each CWE entry shows its severity level, an exposure bar representing relative impact, and the finding count it drives.

This section helps teams understand the underlying weakness patterns behind their vulnerability backlog, making it useful for root cause analysis and longer-term architectural improvements.

## Report Metadata

Each report cover includes repository context captured at the time of the scan:

| Field      | Description                                 |
| ---------- | ------------------------------------------- |
| Type       | Repository or container                     |
| Branch     | The branch that was scanned                 |
| Connection | GitHub or GitLab                            |
| Visibility | Public or Private                           |
| Framework  | Detected application framework              |
| Languages  | Detected programming languages              |
| Risk Index | Weighted posture score at time of scan      |
| Coverage   | Vulnerability categories actively monitored |
