I built a free compliance scanner because the enterprise ones cost more than my rent

I'm a cybersecurity engineer — 7 years in, currently a Security Policy Analyst, previously an Application Security Architect. I started building a SaaS product on the side and immediately hit a wall: how do I prove this thing is compliant without spending $50k on GRC tooling? So I built the compliance mapping myself. Then I realized it was more useful than the SaaS it was meant to protect. The problem You run npm audit . You get 47 vulnerabilities. Now what? Which ones violate SOC 2 controls? Which ones show up on a CMMC assessment? Which ones would a FedRAMP auditor flag? Nobody tells you that. You're supposed to figure it out by cross-referencing CVEs to CWEs to NIST controls to framework mappings — manually, in spreadsheets, on a Friday afternoon. That's insane. What I built npx @cveriskpilot/scan@latest --preset startup One command. No account. No API key. Runs offline. It scans your dependencies, secrets, and IaC configs, then maps every finding to 6 compliance frameworks : NIST 8