How to Generate and Analyze Nikto Scan Reports
You’ve run Nikto. You’ve seen the output. But now what? A raw scan is just noise unless you generate a report and understand what it means. The real power of Nikto isn’t in finding issues. It’s in turning those findings into action. Whether you’re a solo developer, a security analyst, or a team lead, this guide shows you how to create clean, professional Nikto reports, read them like a pro, and fix the problems before they become breaches. No fluff. Just step-by-step commands, real examples, and practical tips that work in 2025, even if you’re just starting out.
Table of Contents
- Why Nikto Reports Matter
- Nikto Output Formats Explained
- Generate HTML Reports (Best for Humans)
- Generate JSON Reports (Best for Automation)
- Generate XML Reports (Legacy Systems)
- Create Custom Reports with Scripts
- How to Analyze HTML Reports
- How to Parse JSON Reports with Python
- Prioritize Findings: Risk Levels
- Sample Report Summary Table
- Share Reports with Teams and Clients
- Automate Report Generation
- Conclusion: From Scan to Action
Why Nikto Reports Matter
A terminal full of text is useless if no one acts on it. Reports turn data into decisions.
Good reports help you:
- Prove compliance (PCI, SOC 2, ISO 27001)
- Show progress over time
- Assign fixes to developers
- Communicate risk to managers
- Track remediation
Pro tip: A report isn’t done until someone fixes something.
Nikto Output Formats Explained
Nikto supports 6 formats. Use the right one for your goal:
- txt: Plain text (default)
- html: Pretty, clickable, human-readable
- xml: Structured, for old tools
- json: Modern, for scripts and dashboards
- csv: For spreadsheets
- msf: For Metasploit import
Best for beginners: HTML
Best for automation: JSON
Generate HTML Reports (Best for Humans)
One command creates a beautiful, shareable report:
nikto -h https://yoursite.com -o report.html -Format htmlOutput includes:
- Color-coded findings
- Clickable OSVDB links
- Server banner
- Scan time and host
Sample HTML snippet:+ /phpinfo.php: PHP configuration leak
Generate JSON Reports (Best for Automation)
Perfect for CI/CD, dashboards, and parsing:
nikto -h https://yoursite.com -o scan.json -Format jsonJSON structure:
{
"host": "yoursite.com",
"vulnerabilities": [
{
"msg": "/.env: Environment file exposed",
"osvdb": 123456,
"method": "GET",
"url": "/.env"
}
]
}Generate XML Reports (Legacy Systems)
For old ticketing systems or SIEMs:
nikto -h https://yoursite.com -o scan.xml -Format xmlUse only if required. JSON is better in 2025.
Create Custom Reports with Scripts
Want only critical issues? Use grep:
nikto -h site.com | grep -i "OSVDB-0\|phpinfo\|.env" > critical.txtOr build a summary with bash:
#!/bin/bash
nikto -h $1 -o full.html -Format html
echo "Scan complete: $(date)" > summary.txt
grep -c "OSVDB" full.html >> summary.txt
echo "See full.html for details" >> summary.txtHow to Analyze HTML Reports
Open report.html in any browser. Look for:
- Red text: High risk (e.g.,
phpinfo.php) - OSVDB links: Click to read exploit details
- Server banner: Is version exposed?
- Interesting files:
.bak,.git,config
Never ignore: .env, .git, phpinfo.php, PUT allowed
How to Parse JSON Reports with Python
Count critical issues:
import json
with open('scan.json') as f:
data = json.load(f)
critical = [v for v in data['vulnerabilities'] if 'phpinfo' in v['msg'] or '.env' in v['msg']]
print(f"Critical issues: {len(critical)}")Generate CSV:
import csv
with open('report.csv', 'w') as f:
writer = csv.writer(f)
writer.writerow(['URL', 'Message'])
for v in data['vulnerabilities']:
writer.writerow([v['url'], v['msg']])Not all Nikto findings are equal. Use this guide:
- Critical (Fix in 24h):
.env,.git,phpinfo.php,config.bak - High (Fix in 7 days): Outdated server, PUT/DELETE allowed, weak SSL
- Medium (Fix in 30 days): Directory indexing, missing headers
- Low (Optional): Server banner leak, default pages
Quick filter: grep -i "env\|git\|phpinfo\|config" report.html
Sample Report Summary Table
| Finding | Risk | URL | Fix |
|---|---|---|---|
| /.env file exposed | Critical | https://site.com/.env | Delete or add to .htaccess |
| phpinfo.php found | Critical | /phpinfo.php | Remove from production |
| Apache 2.2.22 (outdated) | High | Server header | Upgrade to 2.4.57+ |
| Directory indexing in /uploads/ | Medium | /uploads/ | Add Options -Indexes |
| X-Frame-Options missing | Medium | All pages | Add header in config |
Share Reports with Teams and Clients
Best practices:
- Password-protect PDFs if sensitive
- Use secure file sharing (not email)
- Include executive summary
- Add remediation deadlines
- Track fixes in a ticketing system
Convert HTML to PDF:
wkhtmltopdf report.html report.pdfAutomate Report Generation
Daily scans with email:
cron: 0 3 * * * /home/user/nikto-scan.sh
# nikto-scan.sh
nikto -h https://site.com -o /reports/$(date +%F).html -Format html
echo "Nikto report attached" | mail -s "Daily Scan" -A /reports/$(date +%F).html [email protected]Slack alerts on critical findings:
if grep -q "phpinfo\|.env" report.html; then
curl -X POST -H 'Content-type: application/json' --data '{"text":"Critical issue found!"}' $SLACK_WEBHOOK
fiConclusion: From Scan to Action
Nikto doesn’t fix anything. You do.
But with the right reports:
- You’ll see the real risks
- You’ll prioritize what matters
- You’ll prove your work
- You’ll prevent the next breach
Start simple:
- Run
nikto -o report.html -Format html - Open it
- Fix one thing
- Run again
In a week, you’ll have a system. In a month, you’ll have a culture.
Security isn’t about tools. It’s about closing the loop. And every great loop starts with a report.
What format should I use for Nikto reports?
Use HTML for humans, JSON for automation.
Can I save Nikto output to a file?
Yes. Use -o filename with -Format.
How do I make a PDF report?
Generate HTML, then use wkhtmltopdf or browser print.
Does Nikto include risk ratings?
No. You add them based on findings.
Can I filter only critical issues?
Yes. Grep for phpinfo, .env, .git.
How often should I generate reports?
Daily for production, after every deploy.
Can I email Nikto reports?
Yes. Use mail command or Python smtplib.
Does Nikto support CSV output?
Yes. Use -Format csv.
Can I import Nikto into Jira?
Yes. Parse JSON and use Jira API.
How do I know if a finding is a false positive?
Manually visit the URL. Check if it’s real.
Can I add my company logo to reports?
Edit the HTML file or use a template.
Should I scan staging or production?
Both. Staging first, production during low traffic.
Can I generate reports in Docker?
Yes. Mount a volume for output files.
Does Nikto timestamp reports?
Yes. Include $(date +%F) in filename.
Can I compare two Nikto reports?
Yes. Use diff or parse JSON.
How do I archive old reports?
Move to /archive/$(date +%Y-%m) monthly.
Can clients open HTML reports?
Yes. Any browser works. No software needed.
Should I include raw output in reports?
No. Summarize. Attach raw as appendix.
Can I automate Slack alerts from reports?
Yes. Grep critical keywords and POST to webhook.
Where can I learn more about Nikto?
GitHub: https://github.com/sullo/nikto
What's Your Reaction?
