[Bug]: HTML report's per-finding details block renders as literal escaped HTML

[aberoham]

Component

Other (src/shasta/reports/**)

Affected module or file

src/shasta/reports/generator.py

Bug description

When a Shasta scan is rendered as an HTML report, every per-finding "details" block shows up as literal escaped text -- <div class='finding-details'><table><tr>... -- instead of a rendered table or list. The Markdown report is unaffected.

Root cause: generate_html_report() enables Jinja autoescape on the SOC 2 HTML template, but the render_details global returns a structural HTML snippet it builds itself (div / table / ul / tr / td), with untrusted finding values already escaped inline via html.escape. Without a Markup wrapper at the registration site, autoescape escapes the structural tags a second time.

Steps to reproduce

1. Run any scan that produces findings with non-empty details dicts (most AWS network / security-group / IAM checks).
2. Generate the HTML report: shasta.reports.generator.generate_html_report(scan) or save_html_report(scan).
3. Open the resulting HTML file in a browser.

Expected behavior

The per-finding details block renders as an actual table (or list, depending on the value shape), e.g. an Unrestricted Rules table with Protocol / From Port / To Port / Cidr columns.

Actual behavior

The per-finding details block renders as literal escaped HTML text. The structural tags read as <table><tr>... on the page instead of producing a table.

Bug type

Incorrect output / wrong framework mapping

Environment

• OS: macOS 25.5.0 (also reproducible on any platform — pure-Python render path)
• Python version: 3.13
• Shasta version: HEAD of main at a6fc109
• AWS region / Azure subscription: N/A (rendering-only bug; reproduces with any scan input)

Relevant logs or traceback

N/A -- silent rendering bug, not an exception.