From the moment your agent proposes a package to the daily scan that watches it for years — here's everything Audito does today. No roadmap items, no vapor.
The agent asks Audito before it writes a dependency. A verdict comes back in plain English.
check_package validates a package before it's added: typosquat detection, deprecation, known CVEs from OSV.dev, and license policy — returning allow / warn / block with a plain-English summary. Works across npm, PyPI, crates.io, and Go.
Likely typosquat of colors. Registered 6 days ago, 0 weekly downloads, no repo. Try chalk instead.
One tool, one verdict shape across npm, PyPI, crates.io, and Go — so your agent doesn't need ecosystem-specific glue.
Point Audito at a lockfile or an SBOM and it inventories everything you've already shipped.
audit_lockfile checks an entire lockfile in one call — npm (package-lock v1/v2/v3), pnpm-lock, yarn.lock (classic + berry), requirements.txt, poetry.lock, Pipfile.lock, Cargo.lock, and go.sum. Eight formats.
Seed your libraries from a CycloneDX SBOM or a conda environment.yml — no manual entry to get started.
Every finding comes with the exact, minimal change that resolves it.
suggest_actions computes the nearest safe upgrade per CVE: a minimal version bump, an operator-preserving manifest edit (^4.17.0 → ^5.0.0), the exact per-ecosystem install command, and a breaking-change flag.
Opt-in on the GitHub App: Audito opens draft PRs bumping vulnerable direct deps — operator-preserving and workspace-aware on npm monorepos. You review and merge.
A check on the pull request, with annotations right on the changed lockfile.
Posts an Audito Check Run plus inline per-package annotations on the PR's lockfile. Default policy: malware / CRITICAL / HIGH block; MEDIUM / LOW and typosquats warn. Layer in license policy and a fail-on-severity gate. The Action needs no app install; the App adds the remediation bot and auto-sync.
On push to your default branch, the App mirrors your repo manifests — including npm workspaces, resolved against the nearest node_modules — into Audito libraries, scanning only what changed.
Dependencies don't stop changing after you merge. Neither does Audito.
A cron scan at 06:00 UTC against OSV.dev, globally deduped and fanned out via QStash — so a new advisory finds you, not the other way around.
Severe findings email you immediately, at-most-once — not buried in the weekly digest.
Every Monday: a posture summary, new findings from the last 7 days, stale libraries, and the top fixes ranked by a severity-weighted score.
Track 40+ popular services' changelogs and statuspages alongside your dependencies, so vendor changes don't blindside you.
The web app is the report and the control panel — triage findings and set the rules.
Libraries, a findings inbox with accept / dismiss / snooze triage, an activity feed, a software/service-status tracker, and settings — the whole posture in one place.
Posture snapshots and a 30-day trend sparkline so you can see whether risk is going up or down.
Set org-wide allow / warn / block rules on SPDX licenses — applied at check time and layered into the CI gate.
Dismiss or snooze a finding with a reason and it stays quiet — decisions are recorded in the audit log.
Connect an agent or import a lockfile and Audito starts checking in minutes.