The latest articles on Forem by Kay Ade (@kirumachi). https://forem.com/kirumachi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3751087%2F79aef2b3-cdc2-4060-a526-aebef3509891.png https://forem.com/kirumachi en Kay Ade Tue, 03 Feb 2026 17:16:02 +0000 https://forem.com/kirumachi/json-is-not-a-user-interface-obviously-why-i-built-a-tui-for-local-security-4mj https://forem.com/kirumachi/json-is-not-a-user-interface-obviously-why-i-built-a-tui-for-local-security-4mj <p>Security tools (SAST/SCA) can be great at finding bugs but terrible at talking to humans.</p> <blockquote> <p>Scenario: You run a scan.<br> Result: A 4MB JSON file or 500 lines of unreadable terminal logs.<br> Action: You ignore it until CI breaks.</p> </blockquote> <p>The Solution (Kekkai): I built a terminal-based "Inbox" for security findings. It unifies Trivy (CVEs), Semgrep (Code), and Gitleaks (Secrets) into a single TUI.</p> <p>Key Features in v2.2:</p> <ul> <li>Unified TUI: Navigate findings with j/k.</li> <li>Code Context: Press Enter to see the actual vulnerable code snippet + syntax highlighting right in the terminal. No context switching.</li> <li>Local AI: Pipe the finding to Ollama (running locally) to ask "Is this a false positive?"</li> </ul> <p>I didn't want to configure another CI pipeline manually. So I built a self-replicating init command.</p> <p>Run this in your repo: <code>kekkai init --ci</code></p> <p>It detects your git root and auto-generates a GitHub Actions workflow that blocks the build on "High" severity findings.</p> <p>Try it locally: pipx install kekkai-cli -&gt; kekkai scan -&gt; kekkai triage</p> <p><a href="https://github.com/kademoslabs/kekkai" rel="noopener noreferrer">https://github.com/kademoslabs/kekkai</a></p> cli security showdev tooling