As an AppSec engineer, I’ve spent a lot of time running and tunning open-source security scanners like Trivy, Semgrep, Gitleaks and Dojo. What I have found is that running them is easy, reviewing the results, not so much. Each tool outputs different JSON, false positives pile up, and CI either becomes noisy or blocks everything.

So I built Kekkai (formerly Hokage), a small open-source CLI that wraps these scanners and focuses specifically on human triage.

Kekkai runs the scanners in isolated Docker containers, normalizes their outputs into a single format, and provides an interactive terminal UI to review findings, mark false positives, and save decisions locally.

You can try it out:

``` pipx install kekkai-cli kekkai scan kekkai triage ```

What it currently does:

- Runs Trivy (dependencies), Semgrep (code), and Gitleaks (secrets) - Normalizes findings into a unified report - Provides a keyboard-driven TUI for reviewing and marking findings - Supports .kekkaiignore for false positives - Has a CI mode with severity-based failure thresholds

Design choices:

- Local-first by default (no SaaS required) - No proprietary scanning logic, it sits on top of existing tools - Scanners run in read-only, no-network Docker containers

This is still early and aimed at individual developers and small teams. The next things I’m working on are persistent triage state across runs (baselines) and better PR-level workflows.

Repo and docs: https://github.com/kademoslabs/kekkai

I’m around to answer questions about tradeoffs, limitations, or why this exists at all.