Security Report - %s - API Attack Surface Discovery

// Package report generates static HTML security reports with UUID-based // access tokens and QR code generation. Reports are saved as visitor_{token}.html // in the reports/ directory for secure, shareable access. package report import ( "crypto/rand" "fmt" "os" "path/filepath" ) // Generator creates static HTML report files. type Generator struct { reportsDir string baseURL string // public base URL for QR codes and links (e.g. https://coding.sechpoint.app) } // New creates a new report Generator that writes to the given directory. // baseURL is the public-facing base URL used for QR codes and report links. // If empty, relative paths are used as fallback. func New(reportsDir, baseURL string) *Generator { return &Generator{reportsDir: reportsDir, baseURL: baseURL} } // GenerateToken creates a high-entropy UUID v4 token for secure report access. // Uses crypto/rand for true randomness (not math/rand). func GenerateToken() (string, error) { b := make([]byte, 16) if _, err := rand.Read(b); err != nil { return "", fmt.Errorf("report: failed to generate token: %w", err) } // Set version 4 bits and variant bits per RFC 4122 b[6] = (b[6] & 0x0f) | 0x40 b[8] = (b[8] & 0x3f) | 0x80 token := fmt.Sprintf("%08x-%04x-%04x-%04x-%012x", b[0:4], b[4:6], b[6:8], b[8:10], b[10:16]) return token, nil } // BuildReport assembles the full HTML report page from the AI-generated // narrative and saves it to reports/visitor_{token}.html. // // The report includes: // - Mobile-first layout // - AI resilience narrative // - QR code link pointing to visitor_{token}.html // - GITEX 2026 branding func (g *Generator) BuildReport(token, domain, aiNarrativeHTML string) (string, error) { if err := os.MkdirAll(g.reportsDir, 0755); err != nil { return "", fmt.Errorf("report: failed to create reports dir: %w", err) } reportURL := fmt.Sprintf("/reports/visitor_%s.html", token) qrReportURL := reportURL if g.baseURL != "" { qrReportURL = g.baseURL + reportURL } fullHTML := fmt.Sprintf(` Security Report - %s - API Attack Surface Discovery

AASD API Attack Surface Discovery

Report Token

Ask a consultant to scan for your detailed report

Show this code to Sechpoint Aftica Team

Your consultant will walk you through the findings

Start New Scan

GITEX 2026 — sechpoint.app

`, domain, aiNarrativeHTML, token, qrReportURL) reportPath := filepath.Join(g.reportsDir, "visitor_"+token+".html") if err := os.WriteFile(reportPath, []byte(fullHTML), 0644); err != nil { return "", fmt.Errorf("report: failed to write report %s: %w", reportPath, err) } return reportPath, nil } // GenerateFallbackHTML creates a basic resilience report when the AI call fails, // ensuring the booth demo always has a report to display. func GenerateFallbackHTML(subdomains []string) string { domain := subdomains[0] list := "" for _, s := range subdomains { list += fmt.Sprintf("

", s) } return fmt.Sprintf(`

Resilience Narrative

Summary

Security assessment completed for %s. Attack surface analysis identified %d subdomains — all were scanned for WAF assessment.

Attack Surface

WAF Analysis

GoTestWAF scan executed against Wallarm-protected endpoint. WAF filtering node operating in monitoring mode — all attack vectors evaluated.

Scanned

Attack vectors tested

Protected

Wallarm WAF active

JetPatch Remediation

Recommended actions: Enable blocking mode for OWASP Top 10, configure rate limiting on API endpoints, set up real-time WAF alerts, and schedule weekly attack surface reviews.

B+

Resilience Score

`, domain, len(subdomains), list) }