nmap-formatter
nmap-formatter is a Go-based CLI tool that converts nmap XML scan results into multiple human-readable formats (HTML, CSV, JSON, Markdown, Graphviz, SQLite, Excel, D2). It simplifies post-scan analysis and reporting for penetration testers and security teams.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | vdjagilev/nmap-formatter |
| Owner | vdjagilev |
| Primary language | Go |
| License | MIT — OSI-approved |
| Stars | 733 |
| Forks | 60 |
| Open issues | 0 |
| Latest release | v3.1.3 (2026-03-01) |
| Last updated | 2026-07-04 |
| Source | https://github.com/vdjagilev/nmap-formatter |
What nmap-formatter is
A lightweight Go application that parses nmap XML output and transpiles it to 8 different target formats via a modular command-line interface. Supports both file input and stdin streaming, with configurable output options for each formatter.
Get the nmap-formatter source
Clone the repository and explore it locally.
git clone https://github.com/vdjagilev/nmap-formatter.gitcd nmap-formatter# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Go runtime (>= 1.13 implied) or pre-compiled binary; no standalone executable distribution mentioned in README.
- Input must be valid nmap XML; malformed XML handling and error messages require review in source code.
- Output file paths require explicit `-f` flag; default STDOUT can lead to accidental console spam with large scans.
- Some formatters (Graphviz, D2) are output-only; downstream tools (dot, d2 CLI) required for final rendering.
- Flag behavior for `--skip-down-hosts` defaults to true; users accustomed to nmap's default (false) may miss hosts.
When to avoid it — and what to weigh
- Real-Time Scanning Interface Needed — This tool is a post-processor only; it does not invoke nmap itself or provide live scanning capabilities.
- Large-Scale Enterprise Integration Required — Limited to single-file processing; no built-in API, multi-scan aggregation, or role-based access controls.
- Strict Output Schema Stability Required — Early-stage project (v3.1.3); breaking changes to output formats possible between minor releases without semantic versioning guarantees stated.
- Custom Plugin or Filter Framework — No extensible plugin system; adding custom formatters or conditional filtering requires forking or recompiling.
License & commercial use
Licensed under MIT (MIT License), a permissive OSI-approved license. Allows commercial use, modification, and distribution with attribution and warranty disclaimer.
MIT license permits commercial use without restriction. However, no warranties are provided; vendor/support terms unknown. Suitable for internal tools or bundling with commercial services as long as MIT terms are honored. Enterprise SLA, support contracts, or indemnification not mentioned.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Tool itself is a parser; security posture depends on underlying Go XML parser robustness against malformed/malicious nmap output. No input validation constraints stated. Output formats (HTML, Markdown) may require sanitization if embedded in web applications (XSS risk). No rate limiting, audit logging, or secrets redaction mentioned; users must handle sensitive data (passwords, credentials) in output independently.
Alternatives to consider
Nuclei (ProjectDiscovery)
Full-featured scanning and templated reporting engine; more heavyweight but provides integrated scanning + structured output without separate conversion step.
OWASP DefectDojo
Dedicated security finding management platform with nmap import support; better for multi-tool aggregation and team workflows, but requires deployment.
Metasploit / MSFConsole
Integrated scanning and reporting with db_export commands; tightly coupled to Metasploit ecosystem, higher operational overhead.
Build on nmap-formatter with DEV.co software developers
nmap-formatter simplifies scan-to-report pipelines for penetration testing and security audits. Evaluate fit for your team's workflow, then reach out to discuss custom integration or audit tooling.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
nmap-formatter FAQ
Can nmap-formatter run nmap scans itself?
What Go versions are supported?
Can I use nmap-formatter in a web application?
Does nmap-formatter redact sensitive data like passwords?
Custom software development services
Need help beyond evaluating nmap-formatter? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Need nmap Report Automation?
nmap-formatter simplifies scan-to-report pipelines for penetration testing and security audits. Evaluate fit for your team's workflow, then reach out to discuss custom integration or audit tooling.