Skip to content

Reports

hxEASM can generate organization reports in JSON, CSV, PDF, and HTML formats. PDF and HTML reports use the same deterministic report view model so the sections and counts stay aligned across formats.

Output Formats

Format Purpose
json Machine-readable export of report data
csv Spreadsheet-friendly assets and vulnerability export
pdf Styled enterprise report for stakeholders
html Styled HTML report using the embedded template and CSS

PDF Report Structure

The PDF report is designed as an enterprise EASM report and includes:

  1. Cover page
  2. Table of contents
  3. Executive summary
  4. Organization scope
  5. Scan summary
  6. Asset inventory
  7. Exposure changes
  8. Vulnerability summary
  9. Critical and high findings
  10. Screenshots / evidence metadata
  11. Detailed findings
  12. Recommendations
  13. Appendix

If a section has no data, the report renders a clean empty state instead of failing.

HTML Template

The HTML template lives at:

backend/internal/reports/templates/easm_report.html

The embedded logo lives at:

backend/internal/reports/templates/assets/logo.png

Both files are embedded with Go embed, so the API binary can render reports without depending on repository-relative paths at runtime.

Logo and Version

The report cover shows:

  • hxEASM logo in HTML output
  • product name hxEASM
  • product version from app.version / build-time version wiring
  • organization name
  • generation timestamp
  • confidentiality note

The lightweight PDF renderer does not embed raster images yet; it renders a styled hxEASM brand mark and version text. HTML output embeds the logo as a base64 data URI.

Data Included

Report generation collects available data through existing repositories and services:

  • organization metadata
  • approved scope items
  • recent or selected scans
  • plugin jobs for the selected/latest scan
  • assets
  • vulnerabilities
  • file artifact metadata
  • exposure changes

The report does not change scan, plugin, asset, vulnerability, file, or RBAC behavior.

Filters

Reports accept existing filters:

{
  "format": "pdf",
  "filters": {
    "severity_min": "medium",
    "asset_type": "url",
    "vuln_status": "new",
    "scan_id": "<scan-uuid>",
    "date_from": "2026-06-01",
    "date_to": "2026-06-14"
  }
}

scan_id narrows scan summary, plugin jobs, files, and exposure changes when possible. Asset and vulnerability filters keep their previous behavior.

Deterministic Recommendations

Recommendations are rule-based. No LLM is used.

Examples:

  • prioritize critical and high vulnerabilities
  • review exposed administrative interfaces
  • validate exposed services against approved scope
  • disable TLS 1.0/1.1 where detected
  • set Secure and HttpOnly cookie flags where applicable
  • apply missing security headers where applicable

Customizing the Template

To customize HTML styling or section markup, edit:

backend/internal/reports/templates/easm_report.html

Rebuild the API after changing embedded template files.

For PDF styling, update the native renderer in:

backend/internal/reports/generator.go

Current Limitations

  • PDF rendering uses the existing lightweight native PDF writer rather than a full browser HTML-to-PDF engine.
  • HTML output supports richer CSS than PDF output.
  • PDF screenshot embedding is not implemented yet; screenshot and evidence file metadata are included instead.
  • Very large raw evidence payloads are summarized rather than dumped into the report.