OSV.dev
The Open Source Vulnerabilities database is the source of truth for known CVEs across npm, PyPI, crates.io, and Go. Every finding traces back to an OSV advisory.
Security & data
What Audito reads, and what it never touches.
A dependency-security tool earns trust by being precise about its own data handling. Here's exactly what Audito ingests, where its intelligence comes from, and how the system is built.
We read your dependencies, not your code.
Audito ingests dependency manifests and lockfiles — declared packages and resolved versions — not the application code that imports them. That holds even when you connect a GitHub repository: we read files like package.json and package-lock.json, never your program logic. We don't use your repository contents to train models or for any purpose beyond operating these features for you.
Read the full privacy policyData sources
Where the intelligence comes from.
Audito's verdicts are grounded in public, authoritative feeds — not a proprietary black box.
npm & PyPI registries
Package metadata and release timestamps — used to spot deprecations, freshly-registered typosquats, and abandoned packages.
Vendor changelogs & statuspages
For the service tracker, Audito reads 40+ vendors' changelogs, Statuspage v2 endpoints, and RSS/Atom feeds you point it at — outbound only.
When scanning, the backend sends only package names and versions to these feeds — never your account or workspace identifiers. Data flows out to public registries; nothing about you flows with it.
How it's built
The security posture of the platform itself.
Authentication, storage, and notifications are delegated to specialists and scoped per tenant.
Authentication
The dashboard authenticates through Clerk (email or Google/GitHub OAuth). MCP and API access use audt_… tokens — shown once, then stored only as a hash.
Storage with RLS
Workspace data lives in Supabase (Postgres) with row-level security, so every request can only read or write the tenant it belongs to.
Encrypted in transit
All traffic — between you and Audito, and between Audito and its sub-processors — is encrypted with TLS.
Opt-in notifications
Email is delivered through Resend, and only if you opt in. Without an opt-in, your address is never handed to the email provider.
Write access is narrow
The GitHub App's only write path is opt-in draft remediation PRs. Nothing is merged automatically; you review every change.
Minimal outbound data
Scans send package names and versions to public feeds — never workspace or account identifiers. Vendors you track receive an anonymous request, nothing about you.
Audito holds no formal certifications (SOC 2, ISO 27001) today. If that's a hard requirement, get in touch and we'll tell you where we are. See the terms and privacy policy for the full detail.
14-day free trial · no card
Security you can actually inspect.
Free to start, no card required. Connect an agent or import a lockfile and see exactly what Audito stores.