An open-source CLI tool that combines dependency scanning, AI-powered risk analysis, and automated EU compliance checking. Built for teams that need to prove security practices, not just detect vulnerabilities.

What It Does #

Scans .NET and JavaScript projects for vulnerabilities, translates findings into business-friendly risk assessments using GPT-4, and automatically evaluates compliance with EU Cyber Resilience Act (CRA) and NIS2 Directive requirements.

Three Core Functions #

Vulnerability Scanning Detects vulnerable dependencies across NuGet and npm ecosystems using OSV.dev API. Includes transitive dependency analysis, CVSS scoring, and fix recommendations.

AI Risk Translation Sends vulnerability data to GPT-4 with structured prompts that generate executive summaries: “This RCE vulnerability exposes customer data. Priority: Critical. Fix: Upgrade to v2.3.1 within 48 hours.”

Compliance Automation Evaluates projects against 20 CRA and NIS2 requirements. Checks for vulnerability disclosure processes, dependency documentation, patching timelines. Outputs scored compliance reports with gap analysis.

How It Works #

1. Dependency Detection #

Automatically detects project type (NuGet/npm) and extracts all dependencies including transitive ones. Queries OSV.dev API in real-time for vulnerability data—no local database maintenance.

2. Vulnerability Analysis #

Matches dependencies against known CVEs with CVSS scoring. For each finding: severity classification, affected versions, fix recommendations, and exploitability assessment.

3. AI Risk Assessment #

GPT-4 transforms technical CVE data into stakeholder-friendly summaries with business impact, priority levels, and concrete remediation steps. Prompt engineering ensures consistent, actionable output.

4. Compliance Checking #

Evaluates 20 automated rules based on CRA Annex I and NIS2 Article 21:

• Vulnerability disclosure process
• Dependency documentation (SBOM)
• Patching timelines and procedures
• Security contact information
• Incident response protocols

Generates compliance score (0-100%) with gap analysis.

5. Report Generation #

Four output formats:

• HTML - Visual dashboards for stakeholder presentations
• Markdown - Documentation alongside code
• JSON - Machine-readable for CI/CD integration
• SARIF - Native GitHub/Azure DevOps Code Scanning integration

Architecture #

Clean Architecture with three layers:

flowchart TD
    CLI[CLI Layer - Entry Point]
    Core[Core Layer - Domain & Interfaces]
    Impl[Implementation Layers]

    Scanners[Scanners: NuGet, npm]
    Vulns[Vulnerabilities: OSV.dev]
    AI[AI: OpenAI GPT-4]
    Compliance[Compliance: CRA, NIS2]
    Reports[Reporting: HTML, MD, JSON, SARIF]
    Infra[Infrastructure: HTTP, Caching, DB]

    CLI --> Core
    Core --> Impl
    Impl --> Scanners
    Impl --> Vulns
    Impl --> AI
    Impl --> Compliance
    Impl --> Reports
    Impl --> Infra

    style CLI fill:#e1f5ff
    style Core fill:#fff3cd
    style Impl fill:#d4edda
    style Scanners fill:#f8f9fa
    style Vulns fill:#f8f9fa
    style AI fill:#f8f9fa
    style Compliance fill:#f8f9fa
    style Reports fill:#f8f9fa
    style Infra fill:#f8f9fa

Extensibility: New ecosystems (Python, Go, Rust) implement a single scanner interface. New compliance frameworks (SOC 2, ISO 27001) plug into the existing rule engine.

Tech Stack #

• .NET 8 - Cross-platform CLI framework
• C# - Primary language with async/await
• System.CommandLine - Command-line parsing
• OpenAI GPT-4 - AI risk analysis (via Betalgo.OpenAI)
• OSV.dev API - Vulnerability database
• Polly - Retry policies for API resilience
• LiteDB - Embedded caching for vulnerabilities
• Spectre.Console - Rich terminal UI
• Sarif.Sdk - Security report generation
• xUnit + Moq - Testing framework

Usage #

1# Install as .NET global tool
2dotnet tool install --global --add-source ./nupkg CypherGuard.CLI
3
4# Full scan with AI analysis and compliance
5cypherguard scan --ai --compliance --export report.html
6
7# CI/CD integration (fails on high severity)
8cypherguard scan --compliance --severity high --export sarif-report.json

Console output:

Key Features #

• Multi-ecosystem support - NuGet (.NET) and npm (JavaScript/TypeScript)
• Real-time vulnerability data - OSV.dev API integration, no local database
• AI-powered translations - GPT-4 converts CVEs into business impact summaries
• EU compliance automation - First open-source tool with CRA and NIS2 checking
• Multiple output formats - HTML, Markdown, JSON, SARIF
• CI/CD ready - GitHub Actions, Azure DevOps, GitLab templates
• Embedded caching - LiteDB for fast repeated scans
• 100% self-compliant - Tool achieves 100% CRA/NIS2 compliance when scanning itself

Design Notes #

The challenge was translating EU regulations into executable checks. CRA and NIS2 requirements are legal text, not technical specifications—each of the 20 compliance rules required interpretation backed by tests.

AI integration needed precise prompt engineering: enough context for useful recommendations without overwhelming GPT-4 into generic responses. The system now sends structured vulnerability data with project metadata for context-aware analysis.

Architecture supports three audiences through format selection: developers (CLI + SARIF for code scanning), managers (HTML with visual dashboards), compliance teams (JSON + Markdown for audit trails).