DEV.co
Open-Source Security · vdjagilev

nmap-formatter

nmap-formatter is a Go-based CLI tool that converts nmap XML scan results into multiple human-readable formats (HTML, CSV, JSON, Markdown, Graphviz, SQLite, Excel, D2). It simplifies post-scan analysis and reporting for penetration testers and security teams.

Source: GitHub — github.com/vdjagilev/nmap-formatter
733
GitHub stars
60
Forks
Go
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryvdjagilev/nmap-formatter
Ownervdjagilev
Primary languageGo
LicenseMIT — OSI-approved
Stars733
Forks60
Open issues0
Latest releasev3.1.3 (2026-03-01)
Last updated2026-07-04
Sourcehttps://github.com/vdjagilev/nmap-formatter

What nmap-formatter is

A lightweight Go application that parses nmap XML output and transpiles it to 8 different target formats via a modular command-line interface. Supports both file input and stdin streaming, with configurable output options for each formatter.

Quickstart

Get the nmap-formatter source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/vdjagilev/nmap-formatter.gitcd nmap-formatter# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Post-Scan Reporting & Documentation

Convert raw nmap XML into polished HTML, Markdown, or PDF-exportable formats for stakeholder reports and compliance documentation.

Data Integration & Analysis

Export nmap results to JSON, SQLite, or Excel for downstream processing, correlation with other security tools, or analysis in BI platforms.

Network Visualization

Generate Graphviz and D2 diagrams to visualize network topology, port states, and host relationships discovered by nmap scans.

Implementation considerations

  • Requires Go runtime (>= 1.13 implied) or pre-compiled binary; no standalone executable distribution mentioned in README.
  • Input must be valid nmap XML; malformed XML handling and error messages require review in source code.
  • Output file paths require explicit `-f` flag; default STDOUT can lead to accidental console spam with large scans.
  • Some formatters (Graphviz, D2) are output-only; downstream tools (dot, d2 CLI) required for final rendering.
  • Flag behavior for `--skip-down-hosts` defaults to true; users accustomed to nmap's default (false) may miss hosts.

When to avoid it — and what to weigh

  • Real-Time Scanning Interface Needed — This tool is a post-processor only; it does not invoke nmap itself or provide live scanning capabilities.
  • Large-Scale Enterprise Integration Required — Limited to single-file processing; no built-in API, multi-scan aggregation, or role-based access controls.
  • Strict Output Schema Stability Required — Early-stage project (v3.1.3); breaking changes to output formats possible between minor releases without semantic versioning guarantees stated.
  • Custom Plugin or Filter Framework — No extensible plugin system; adding custom formatters or conditional filtering requires forking or recompiling.

License & commercial use

Licensed under MIT (MIT License), a permissive OSI-approved license. Allows commercial use, modification, and distribution with attribution and warranty disclaimer.

MIT license permits commercial use without restriction. However, no warranties are provided; vendor/support terms unknown. Suitable for internal tools or bundling with commercial services as long as MIT terms are honored. Enterprise SLA, support contracts, or indemnification not mentioned.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool itself is a parser; security posture depends on underlying Go XML parser robustness against malformed/malicious nmap output. No input validation constraints stated. Output formats (HTML, Markdown) may require sanitization if embedded in web applications (XSS risk). No rate limiting, audit logging, or secrets redaction mentioned; users must handle sensitive data (passwords, credentials) in output independently.

Alternatives to consider

Nuclei (ProjectDiscovery)

Full-featured scanning and templated reporting engine; more heavyweight but provides integrated scanning + structured output without separate conversion step.

OWASP DefectDojo

Dedicated security finding management platform with nmap import support; better for multi-tool aggregation and team workflows, but requires deployment.

Metasploit / MSFConsole

Integrated scanning and reporting with db_export commands; tightly coupled to Metasploit ecosystem, higher operational overhead.

Software development agency

Build on nmap-formatter with DEV.co software developers

nmap-formatter simplifies scan-to-report pipelines for penetration testing and security audits. Evaluate fit for your team's workflow, then reach out to discuss custom integration or audit tooling.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

nmap-formatter FAQ

Can nmap-formatter run nmap scans itself?
No. It is a post-processor only. You must run nmap separately and pass the XML output file (or pipe via stdin) to nmap-formatter.
What Go versions are supported?
README does not specify minimum Go version. Installation wiki may clarify; assume Go 1.16+ based on module ecosystem.
Can I use nmap-formatter in a web application?
Possible via library import or subprocess execution, but output sanitization (HTML escaping, XSS prevention) is the caller's responsibility. No built-in API server provided.
Does nmap-formatter redact sensitive data like passwords?
Not mentioned in documentation. Tool outputs all nmap data as-is; users must filter or redact sensitive fields before sharing reports.

Custom software development services

Need help beyond evaluating nmap-formatter? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Need nmap Report Automation?

nmap-formatter simplifies scan-to-report pipelines for penetration testing and security audits. Evaluate fit for your team's workflow, then reach out to discuss custom integration or audit tooling.