I built a free compliance scanner because the enterprise ones cost more than my rent

I'm a cybersecurity engineer — 7 years in, currently a Security Policy Analyst, previously an Application Security Architect. I started building a SaaS product on the side and immediately hit a wall: how do I prove this thing is compliant without spending $50k on GRC tooling? So I built the compliance mapping myself. Then I realized it was more useful than the SaaS it was meant to protect. The problem You run npm audit. You get 47 vulnerabilities. Now what? Which ones violate SOC 2