Audito Docs
HomeDashboard

Docs

Concepts

Libraries, Dependencies, Findings, Severity, Decisions — the data model in plain English.

The data model

Audito's data model is small on purpose — five concepts cover the whole product.

Library

A library is the thing you ship: an application, service, or distributable package. It's the unit you give a name (e.g. web-app) and it owns a list of dependencies. A library has a source_kind that records how it was added (manual, package_json, requirements_txt, pyproject_toml, other for CycloneDX) so the audit feed stays grouped sensibly.

Dependency

A dependency is a single (ecosystem, package, version) triple inside a library. Ecosystems include npm, pypi, cargo, maven, rubygems, go, composer, nuget, debian, alpine, plus manual and other. We store both the version range you declared (version_spec) and the resolved version the scanner saw (resolved_version) — they often differ for lockfiles vs. manifests.

Finding

A finding is the join of a dependency and an OSV identifier — "this package at this version has CVE-…". Findings come from background scans; you don't create them. Each finding carries a severity, references, and a status that defaults to open.

Severity

Audito normalizes upstream severity into five buckets:

  • CRITICAL — exploit known and trivial; treat as page-worthy.
  • HIGH — significant impact; queue for the next maintenance window.
  • MEDIUM — meaningful but not urgent.
  • LOW — minor or hardening-class issues.
  • UNKNOWN — no usable severity from upstream; we surface it but don't weight it in the rollup.

The posture rollup uses these for the colored chips on the dashboard.

Decision

A decision is your triage state on a finding: open (nothing decided), accepted (acknowledged, won't fix), dismissed (this isn't a real issue for us), or snoozed (hidden until a date you set). Decisions are scoped to the workspace owner — a finding has a single decision per (dependency, OSV id) pair, and the inbox only shows what's actually still open by default.

Data flow

   manifest / SBOM / manual entry


        ┌──────────┐    background scan      ┌─────────┐
        │  library │ ──────────────────────▶ │ finding │
        └──────────┘                         └─────────┘
              │                                   │
              ▼                                   ▼
       dependencies (rows)              decision (open / accepted /
                                        dismissed / snoozed)

Imports never wait for a scan: the dependency rows land first, the scanner catches up asynchronously, and the inbox starts populating as findings arrive.