*Built a Python Dependency Audit Tool Because Vulnerability Lists Weren’t Enough*
(A companion for compliance, not just another scanner)
Most vulnerability tools stop at giving you a list of CVEs. That’s useful, but it’s not enough if you need to *prove* your compliance, pass a security audit, or keep verifiable records for regulations like EO 14028 or NIST SSDF.
That’s why I built *AuditDeps* — a CLI tool that scans Python dependencies (`requirements.txt`, `pyproject.toml`) using OSV.dev and generates *evidence-ready, repeatable audit reports* in HTML and JSON.
*What makes it different*
- It produces self-contained, review-friendly HTML reports with scan metadata (time, scope, data source).
- JSON output fits into automated pipelines and evidence archives.
- Focused on *audit trails*, not just detection.
*Example*
```bash
auditdeps scan requirements.txt --report html
# Opens scan-report.html with dependency tree, vulnerabilities, and full context
```
*Who it’s for*
- Teams undergoing formal security/compliance reviews
- Open-source maintainers who need to document dependency hygiene
- Anyone tired of manually reformatting scanner output into audit artifacts
*Discussion points*
- How are you handling dependency audit trails in your projects?
- Are there other “evidence-ready” tools you’ve used for compliance?
- Would a similar approach be useful for other ecosystems (Node.js, Rust, etc.)?
This is a “Show HN” style post focused on solving the audit/evidence gap rather than just finding vulnerabilities. It’s built for developers who need to show — not just know — their dependency security.
zerogru0x00•1h ago
Most vulnerability tools stop at giving you a list of CVEs. That’s useful, but it’s not enough if you need to *prove* your compliance, pass a security audit, or keep verifiable records for regulations like EO 14028 or NIST SSDF.
That’s why I built *AuditDeps* — a CLI tool that scans Python dependencies (`requirements.txt`, `pyproject.toml`) using OSV.dev and generates *evidence-ready, repeatable audit reports* in HTML and JSON.
*What makes it different* - It produces self-contained, review-friendly HTML reports with scan metadata (time, scope, data source). - JSON output fits into automated pipelines and evidence archives. - Focused on *audit trails*, not just detection.
*Example* ```bash auditdeps scan requirements.txt --report html # Opens scan-report.html with dependency tree, vulnerabilities, and full context ```
*Who it’s for* - Teams undergoing formal security/compliance reviews - Open-source maintainers who need to document dependency hygiene - Anyone tired of manually reformatting scanner output into audit artifacts
*Tool & repo* - GitHub: https://github.com/0x5A65726F677275/AuditDeps - Install: `pip install auditdeps` (after cloning) - MIT licensed, Python-based
*Discussion points* - How are you handling dependency audit trails in your projects? - Are there other “evidence-ready” tools you’ve used for compliance? - Would a similar approach be useful for other ecosystems (Node.js, Rust, etc.)?
This is a “Show HN” style post focused on solving the audit/evidence gap rather than just finding vulnerabilities. It’s built for developers who need to show — not just know — their dependency security.