Who it's for
- CMMC Level 2 contractors and subcontractors managing software supply chain risk
- Teams that need audit-ready evidence without a SaaS dependency or cloud uploads
- Organizations where dependency files cannot leave the local network
- Contractors building POA&M documentation for a C3PAO assessment
Quick start
Three commands to your first scan.
01
Pull the image
No account required — just Docker installed on your machine.
docker pull swynnjr/risksnap02
Scan your dependency manifest
Create a data directory once so scan history persists in a fixed location, then run the scan.
mkdir -p ~/risksnap-datadocker run --rm -v ~/risksnap-data:/data swynnjr/risksnap \
scan /data/requirements.txt --output-dir /dataWindows (PowerShell): use an absolute path, e.g. -v C:\Users\you\risksnap-data:/data
03
Get audit-ready output
RiskSnap writes directly to your output directory — nothing leaves your machine.
- PDF evidence pack with full traceability
- CSV with scored findings
- Scan history tracked locally across projects
Supported input formats
CycloneDX JSON
SBOM standard
SPDX JSON
SBOM standard
requirements.txt
Python
package-lock.json
Node.js
Features
Free
No cost · no account
- Native scanning for Python (requirements.txt) and Node.js (package-lock.json) · SBOM scanning via CycloneDX and SPDX for any ecosystem
- Audit-grade PDF evidence packs
- Scan history across multiple projects
- POA&M item visibility
- CSV export of findings and POA&M data
- Web interface (Streamlit) and command-line modes
- Runs entirely locally — your dependency files never leave your network
Professional
$1,000/yr · Annual subscription
- White-label PDFs with your organization's branding
- Software asset inventory — CMMC CM.L2-3.4.1 evidence (CSV + PDF)
- Delta reports — audit-grade remediation evidence over time
- POA&M sync from scans
- POA&M editing (CLI and web UI)
- CSV import/export round-trip for team collaboration
- POA&M PDF generation in conventional CMMC format
License availability coming soon. Contact security@wynn-systems.com for early access.
Enterprise
Custom seat counts · volume pricing · invoicing and PO options available. Contact us to evaluate your needs.
Found a bug or need help? Contact us →
What you get
Audit-ready outputs from every scan.
Upload a dependency manifest. RiskSnap scans against OSV and CISA KEV and produces a scored risk summary — no account, no external upload.
Licensed POA&M workflow: sync findings, assign owners, edit remediation plans, generate audit-ready PDFs. All data stays local.
Full feature set available via command line for automation and CI integration.
Dated, traceable evidence pack with full vulnerability scoring metadata. Supports CMMC Level 2 RA.L2-3.11.2 documentation.
POA&M summary table with stable POAM IDs, status, severity, and target dates — conventional CMMC POA&M format.
Per-POA&M detail: control references, weakness description, remediation plan, responsible party, and closure tracking.
Privacy & security
Your files stay on your machine.
- All processing happens inside the Docker container on your machine
- Dependency files are never uploaded to any external server
- One optional network call: license validation — only when a license key is provided, cached 24 hours locally
- Security contact: security@wynn-systems.com
Compliance note
RiskSnap is not "CMMC certified." There is no DoD or Cyber AB certification for vulnerability scanning tools. RiskSnap produces documentation that can support a contractor's CMMC Level 2 audit, but final compliance determination is the responsibility of the assessing C3PAO. Always verify with your CMMC consultant or assessor that the evidence RiskSnap produces meets the requirements of your specific engagement.
FAQ
Do I need a Docker Hub account to use RiskSnap?
No account needed.
docker pull swynnjr/risksnap works with just Docker installed on your machine — no sign-in required for the free tier.Does RiskSnap upload my dependency files?
Never. All scanning happens inside the container on your machine. The only optional network call is license validation when a license key is present, and that call never includes your dependency data.
What ecosystems does the free tier cover?
Natively: Python (
requirements.txt) and Node.js (package-lock.json). Via SBOM: any ecosystem your CycloneDX or SPDX SBOM describes — including Java/Maven, Go, Rust, and more. Bring a pre-generated SBOM from tools like the CycloneDX Maven plugin or Syft.Is RiskSnap only for CMMC contractors?
It's designed with CMMC Level 2 audit workflows in mind, but it's useful for any team that needs structured vulnerability evidence and POA&M documentation without a SaaS dependency.