Skip to main content
hexr audit gives you a security snapshot of your agent at any point — before a push, after a deploy, or on a scheduled CI schedule. It runs three checks in sequence: Python dependency vulnerability scanning via pip-audit, CycloneDX SBOM generation for compliance, and optional drift detection that compares your generated manifests against what’s actually running in the cluster. You can run it standalone or integrate it into your deployment pipeline as a gate.

Usage

hexr audit [options]

Default scan

Running hexr audit with no flags executes all three checks and prints a consolidated report: 
$ hexr audit

╔═══════════════════════════════════════════════════╗
              Hexr Security Audit
╚═══════════════════════════════════════════════════╝

[1/3] Dependency Vulnerabilities (pip-audit)
 Scanned 47 packages
  2 vulnerabilities found:
 requests 2.31.0 CVE-2024-xxxxx (Medium) — fix: 2.32.0
 cryptography 41.0.0 CVE-2024-xxxxx (Low) — fix: 42.0.0

[2/3] SBOM Generation (CycloneDX)
 Generated CycloneDX SBOM
 47 components cataloged

[3/3] Container Image Scan
 Base image: python:3.11-slim
 0 critical, 0 high vulnerabilities
  
Summary: 2 medium/low issues. No critical risks.

Options

--export <file>
path
Export the CycloneDX SBOM to a file for use in compliance workflows or artifact storage.
hexr audit --export sbom.json
--verify
flag
Run drift detection — compare the generated manifests in .hexr/ against the live Kubernetes state for your tenant namespace. Useful for detecting out-of-band changes or failed partial deployments.
$ hexr audit --verify

Drift Detection:
 namespace.yaml matches
 rbac.yaml matches
 agent-pod.yaml drift detected:
    - Image tag: expected v1.0.0, found v0.9.0
    - Memory limit: expected 512Mi, found 256Mi
--fix
flag
Auto-remediate fixable vulnerabilities by updating pinned dependency versions.
hexr audit --fix

What gets audited

CheckToolDescription
Python dependenciespip-auditKnown CVEs in all installed packages
SBOM generationCycloneDXSoftware bill of materials for compliance reporting
Container imageVulnerability scannerOS-level CVEs in the base image layers
Manifest driftkubectl diffLive cluster state vs. generated manifests
Add hexr audit --export sbom.json to your CI pipeline after hexr push to capture a signed SBOM for every release artifact.