inside audr · pillar 02
Most security tools either roll their own vulnerability database (and fall behind) or wrap one (and miss the others). Audr coordinates the scanners the open-source security community already maintains, plus a native rule engine for AI-agent posture, and presents one deduplicated report.
The DB authors do their job. Audr does the orchestration.
Each backend has a single job. Audr re-keys findings into a unified fingerprint, dedup-groups them by underlying advisory, classifies fix authority (you / maintainer / upstream), and emits the combined result.
01
in-repo
scans
AI-agent and developer-machine configuration surfaces
emits
Agent-config finding
license
FSL-1.1-MIT (audr's source license)
Audr's own pattern + AST rules for MCP servers, Claude Code settings, Cursor permissions, Codex CLI config, Windsurf, GitHub Actions workflows, shell rcs, and agent skills. The cron-driven CVE pipeline lands new rules as advisories ship — see /coverage for the live count.
02
external · invoked by audr
scans
Package CVEs across npm, Go, PyPI, Crates.io, Maven, and more
emits
Dep-package finding
license
Apache-2.0 (Google)
Google's open-source scanner against the OSV.dev database. Audr orchestrates osv-scanner against the manifest files it finds on the developer machine and re-keys findings into audr's dedup + fix-authority taxonomy. The vuln DB is OSV; audr does not maintain a parallel DB.
03
external · invoked by audr
scans
Exposed secrets with provider validation
emits
Secret finding
license
MIT (Betterleaks)
Secret scanner with active provider validation — Betterleaks doesn't just regex-match credential shapes, it (optionally) verifies they're live by hitting the issuing provider's identity endpoint. Audr invokes it via `audr scan --secrets` and folds findings through redaction + dedup. Valid vs. unverified findings collapse into one fingerprint so a validation flap doesn't churn finding identity.
04
in-repo · Linux only
scans
OS-package CVEs (dpkg / rpm / apk)
emits
OS-package finding
license
FSL-1.1-MIT (audr's source license)
Audr enumerates installed OS packages via dpkg-query / rpm / apk, hands the list to OSV-Scanner's --osv-bundle mode, and surfaces CVEs against the operating system itself. Linux-only by design; macOS and Windows do not have an equivalent system-wide package inventory.
01 — focus
Each backend is the best at one job. OSV.dev curates package CVEs at a cadence no in-repo rule set can match. Betterleaks validates secrets against live provider endpoints. ospkg knows OS package managers. Audr's job is the agent-config layer no one else covers — and then stitching the rest together.
02 — trust posture
A vuln DB is a moat that ages. Audr does not own one. When OSV.dev adds an advisory, audr picks it up at the next scan with no audr release required. When Betterleaks adds a provider, audr's secret coverage grows with it. We follow upstream; we don't fork.
03 — dedup is the value-add
The same OpenClaw CVE shows up in package.json, package-lock.json, yarn.lock, and a vendored copy under node_modules. OSV-Scanner reports four findings; audr dedup-groups them by advisory + ecosystem + package + fixed-version, surfaces one row, and lists the affected paths under it.
04 — fix authority
Each finding is classified as your-fix, maintainer-fix, or upstream-fix.
A secret in your repo is your-fix. A CVE in a vendored plugin under
~/.cursor/extensions is the plugin maintainer's fix. The CLI's
--fix-authority you filter is the natural input
for a coding agent — the other classes need human action.
The single binary ships with all four backends wired up. OSV-Scanner and Betterleaks are installed on-demand on first scan; ospkg is built in and only runs on Linux. The local-machine scan never uploads anything by default.