The latest articles on Forem by CVERiskPilot (@cveriskpilot). https://forem.com/cveriskpilot https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3849832%2F1f9793e2-154a-4fa3-a37f-8684c6a74954.jpg https://forem.com/cveriskpilot en CVERiskPilot Tue, 31 Mar 2026 02:52:04 +0000 https://forem.com/cveriskpilot/-28m3 https://forem.com/cveriskpilot/-28m3 <div class="ltag__link--embedded"> <div class="crayons-story "> <a href="https://dev.to/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11" class="crayons-story__hidden-navigation-link">I built a free compliance scanner because the enterprise ones cost more than my rent</a> <div class="crayons-story__body crayons-story__body-full_post"> <div class="crayons-story__top"> <div class="crayons-story__meta"> <div class="crayons-story__author-pic"> <a href="/cveriskpilot" class="crayons-avatar crayons-avatar--l "> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3849832%2F1f9793e2-154a-4fa3-a37f-8684c6a74954.jpg" alt="cveriskpilot profile" class="crayons-avatar__image" width="325" height="325"> </a> </div> <div> <div> <a href="/cveriskpilot" class="crayons-story__secondary fw-medium m:hidden"> CVERiskPilot </a> <div class="profile-preview-card relative mb-4 s:mb-0 fw-medium hidden m:inline-block"> CVERiskPilot <div id="story-author-preview-content-3433328" class="profile-preview-card__content crayons-dropdown branded-7 p-4 pt-0"> <div class="gap-4 grid"> <div class="-mt-4"> <a href="/cveriskpilot" class="flex"> <span class="crayons-avatar crayons-avatar--xl mr-2 shrink-0"> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3849832%2F1f9793e2-154a-4fa3-a37f-8684c6a74954.jpg" class="crayons-avatar__image" alt="" width="325" height="325"> </span> <span class="crayons-link crayons-subtitle-2 mt-5">CVERiskPilot</span> </a> </div> <div class="print-hidden"> Follow </div> <div class="author-preview-metadata-container"></div> </div> </div> </div> </div> <a href="https://dev.to/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11" class="crayons-story__tertiary fs-xs"><time>Mar 31</time><span class="time-ago-indicator-initial-placeholder"></span></a> </div> </div> </div> <div class="crayons-story__indention"> <h2 class="crayons-story__title crayons-story__title-full_post"> <a href="https://dev.to/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11" id="article-link-3433328"> I built a free compliance scanner because the enterprise ones cost more than my rent </a> </h2> <div class="crayons-story__tags"> <a class="crayons-tag crayons-tag--monochrome " href="/t/security"><span class="crayons-tag__prefix">#</span>security</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/opensource"><span class="crayons-tag__prefix">#</span>opensource</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/devops"><span class="crayons-tag__prefix">#</span>devops</a> <a class="crayons-tag crayons-tag--monochrome " href="/t/beginners"><span class="crayons-tag__prefix">#</span>beginners</a> </div> <div class="crayons-story__bottom"> <div class="crayons-story__details"> <a href="https://dev.to/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left"> <div class="multiple_reactions_aggregate"> <span class="multiple_reactions_icons_container"> <span class="crayons_icon_container"> <img src="https://assets.dev.to/assets/sparkle-heart-5f9bee3767e18deb1bb725290cb151c25234768a0e9a2bd39370c382d02920cf.svg" width="24" height="24"> </span> </span> <span class="aggregate_reactions_counter">1<span class="hidden s:inline"> reaction</span></span> </div> </a> <a href="https://dev.to/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11#comments" class="crayons-btn crayons-btn--s crayons-btn--ghost crayons-btn--icon-left flex items-center"> Comments <span class="hidden s:inline">Add Comment</span> </a> </div> <div class="crayons-story__save"> <small class="crayons-story__tertiary fs-xs mr-2"> 2 min read </small> <span class="bm-initial"> </span> <span class="bm-success"> </span> </div> </div> </div> </div> </div> </div> security opensource devops beginners CVERiskPilot Tue, 31 Mar 2026 01:43:26 +0000 https://forem.com/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11 https://forem.com/cveriskpilot/i-built-a-free-compliance-scanner-because-the-enterprise-ones-cost-more-than-my-rent-2c11 <p>I'm a cybersecurity engineer — 7 years in, currently a Security Policy Analyst, previously an Application Security Architect. I started building a SaaS product on the side and immediately hit a wall: how do I prove this thing is compliant without spending $50k on GRC tooling?</p> <p>So I built the compliance mapping myself. Then I realized it was more useful than the SaaS it was meant to protect.</p> <h2> The problem </h2> <p>You run <code>npm audit</code>. You get 47 vulnerabilities. Now what?</p> <p>Which ones violate SOC 2 controls? Which ones show up on a CMMC assessment? Which ones would a FedRAMP auditor flag? Nobody tells you that. You're supposed to figure it out by cross-referencing CVEs to CWEs to NIST controls to framework mappings — manually, in spreadsheets, on a Friday afternoon.</p> <p>That's insane.</p> <h2> What I built </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx @cveriskpilot/scan@latest <span class="nt">--preset</span> startup </code></pre> </div> <p>One command. No account. No API key. Runs offline.</p> <p>It scans your dependencies, secrets, and IaC configs, then maps every finding to <strong>6 compliance frameworks</strong>: NIST 800-53, SOC 2, CMMC, FedRAMP, OWASP ASVS, and SSDF.</p> <p>Instead of just "lodash has CVE-2021-23337," you get:</p> <ul> <li>The CWE classification</li> <li>Which NIST 800-53 controls it violates</li> <li>The SOC 2, CMMC, and FedRAMP impact</li> <li>A severity-based verdict (true positive, false positive, needs review)</li> </ul> <p>All in your terminal. JSON, SARIF, and Markdown output if you need it for CI/CD or reports.</p> <h2> Why I'm posting this </h2> <p>I've been building in a vacuum. The scanner works, it's on npm, but I haven't gotten much feedback from the people who would actually use it.</p> <p><strong>A few things I'd genuinely love input on:</strong></p> <ul> <li>Is the terminal output too dense, or do you want all that detail?</li> <li>What package managers should I support next? (Currently: npm, yarn, pnpm, Go, pip)</li> <li>Would you actually use a GitHub Action wrapper for this?</li> <li>Does compliance mapping even matter to you, or is that only a concern when a prospect asks?</li> </ul> <h2> Try it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># scan current directory with startup preset</span> npx @cveriskpilot/scan@latest <span class="nt">--preset</span> startup <span class="c"># just dependencies</span> npx @cveriskpilot/scan@latest <span class="nt">--scan</span> deps <span class="c"># output as JSON</span> npx @cveriskpilot/scan@latest <span class="nt">--preset</span> startup <span class="nt">--format</span> json <span class="o">&gt;</span> results.json </code></pre> </div> <p>Zero dependencies. Works on Node 20+. Takes about 30 seconds.</p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__body flex items-center justify-between"> <a href="https://www.npmjs.com/package/@cveriskpilot/scan" rel="noopener noreferrer" class="c-link fw-bold flex items-center"> <span class="mr-2">npmjs.com</span> </a> </div> </div> </div> <p><strong>GitHub:</strong> <a href="https://github.com/devbrewster/cveriskpilot-scan" rel="noopener noreferrer">devbrewster/cveriskpilot-scan</a></p> <p>I'm a solo veteran founder building this bootstrapped from Texas. If this is useful to even one person who would've otherwise spent a weekend in spreadsheet hell — that's a win.</p> <p>Tear it apart. I can take it.</p> security opensource devops beginners