DEV Community

Cover image for I built a free compliance scanner because the enterprise ones cost more than my rent
CVERiskPilot
CVERiskPilot

Posted on

I built a free compliance scanner because the enterprise ones cost more than my rent

#security #opensource #devops #beginners

I'm a cybersecurity engineer — 7 years in, currently a Security Policy Analyst, previously an Application Security Architect. I started building a SaaS product on the side and immediately hit a wall: how do I prove this thing is compliant without spending $50k on GRC tooling?

So I built the compliance mapping myself. Then I realized it was more useful than the SaaS it was meant to protect.

The problem

You run npm audit. You get 47 vulnerabilities. Now what?

Which ones violate SOC 2 controls? Which ones show up on a CMMC assessment? Which ones would a FedRAMP auditor flag? Nobody tells you that. You're supposed to figure it out by cross-referencing CVEs to CWEs to NIST controls to framework mappings — manually, in spreadsheets, on a Friday afternoon.

That's insane.

What I built 

npx @cveriskpilot/scan@latest --preset startup
Enter fullscreen mode Exit fullscreen mode

One command. No account. No API key. Runs offline.

It scans your dependencies, secrets, and IaC configs, then maps every finding to 6 compliance frameworks: NIST 800-53, SOC 2, CMMC, FedRAMP, OWASP ASVS, and SSDF.

Instead of just "lodash has CVE-2021-23337," you get:

  • The CWE classification
  • Which NIST 800-53 controls it violates
  • The SOC 2, CMMC, and FedRAMP impact
  • A severity-based verdict (true positive, false positive, needs review)

All in your terminal. JSON, SARIF, and Markdown output if you need it for CI/CD or reports.

Why I'm posting this

I've been building in a vacuum. The scanner works, it's on npm, but I haven't gotten much feedback from the people who would actually use it.

A few things I'd genuinely love input on:

  • Is the terminal output too dense, or do you want all that detail?
  • What package managers should I support next? (Currently: npm, yarn, pnpm, Go, pip)
  • Would you actually use a GitHub Action wrapper for this?
  • Does compliance mapping even matter to you, or is that only a concern when a prospect asks?

Try it 

# scan current directory with startup preset
npx @cveriskpilot/scan@latest --preset startup

# just dependencies
npx @cveriskpilot/scan@latest --scan deps

# output as JSON
npx @cveriskpilot/scan@latest --preset startup --format json > results.json
Enter fullscreen mode Exit fullscreen mode

Zero dependencies. Works on Node 20+. Takes about 30 seconds.

npmjs.com

GitHub: devbrewster/cveriskpilot-scan

I'm a solo veteran founder building this bootstrapped from Texas. If this is useful to even one person who would've otherwise spent a weekend in spreadsheet hell — that's a win.

Tear it apart. I can take it.

Top comments (0)