dobbe

dobbe audit report

Run a comprehensive security posture audit on a repository.

Synopsis

dobbe audit report [OPTIONS]

Description

audit report performs a multi-dimensional security audit on a single GitHub repository. It runs a configurable set of checks (vulnerabilities, license compliance, secrets detection, code quality) and produces a structured report against a compliance template. Claude AI analyzes the repository using available MCP tools and local file access, then generates findings with severity ratings and remediation guidance.

When run from inside a git repository with no --repo flag, the command auto-detects the repository from the current working directory.

Flowchart

┌─────────────────────────────────────────────┐
│      dobbe audit report --repo org/repo     │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Parse CLI args + merge config defaults      │
│  - format from --format or config            │
│  - checks from --checks or default (all 4)   │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Auto-detect repo from CWD                   │
│  (when no --repo given)                      │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Validate template                           │
│  (soc2, internal, custom only)               │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Parse and validate checks                   │
│  (vuln, license, secrets, quality)           │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Discover MCP servers                        │
│  (~/.claude/settings.json)                   │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Run audit pipeline                          │
│  For the repo:                               │
│    - Build audit prompt (template + checks)  │
│    - Ask Claude                              │
│    - Tools: [Bash, Read, Grep, Glob] + MCP   │
│    - Uses cache unless --no-cache            │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Build AuditReport                           │
│  - Aggregate findings per check type         │
│  - Save session for later reference          │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Render output                               │
│  --format markdown (default) / json          │
│  --output file (optional)                    │
└──────────────────────┬──────────────────────┘
                       │
                       v
┌─────────────────────────────────────────────┐
│  Optional: Notify                            │
│  --notify slack -> post to --channel         │
│  --notify jira  -> create tickets            │
└─────────────────────────────────────────────┘

Options

Option	Type	Default	Description
--repo / -r	str	-	Single repo to audit (org/repo). When omitted, auto-detects from the current git directory.
--checks / -c	str	vuln,license,secrets,quality	Comma-separated check types to run. Valid values: vuln, license, secrets, quality.
--template / -t	str	internal	Compliance template to audit against: soc2, internal, custom.
--format / -f	str	markdown	Output format: json, markdown. Falls back to config default if not specified.
--output	str	-	Write output to file instead of stdout.
--notify	str	-	Send report to platform (slack, jira).
--channel	str	-	Notification channel (e.g., #security-audits). Used with --notify.
--quiet / -q	bool	False	Suppress progress output, only show final result.
--no-cache	bool	False	Skip response cache, force fresh analysis.

CWD Auto-Detect

When no --repo flag is provided, the command inspects the current working directory for a git remote and derives the org/repo slug automatically. This means you can simply cd into a repository and run:

dobbe audit report

If the directory is not a git repository or has no remote configured, the command will prompt for a repo.

Response Caching

Audit results are cached by default. Subsequent runs against the same repository with the same checks and template will return the cached response, saving time and tokens. Use --no-cache to force a fresh analysis when the repository has changed since the last audit.

Examples

Audit the current repository with all default checks

cd ~/projects/my-api
dobbe audit report

Audit a specific repository

dobbe audit report --repo acme/web-app

Run only vulnerability and secrets checks

dobbe audit report --repo acme/web-app --checks vuln,secrets

SOC 2 compliance audit with JSON output

dobbe audit report --repo acme/web-app --template soc2 --format json --output audit-soc2.json

Audit and notify Slack

dobbe audit report --repo acme/web-app --notify slack --channel "#security-audits"

Force fresh analysis (skip cache)

dobbe audit report --repo acme/web-app --no-cache

Quiet mode for CI pipelines

dobbe audit report --repo acme/web-app --format json --quiet --output audit.json

See Also

• vuln scan - scan for Dependabot vulnerabilities with AI triage
• vuln resolve - scan and fix vulnerabilities with the agentic loop
• Configuration reference - default format settings
• MCP integrations - GitHub MCP for direct API access

This site is open source. Improve this page.