It’s audit season. And if you’re a SaaS startup, you know exactly what that means.
The dreaded “Change Management” evidence request.

Some auditor sends you a list of 15 random commit SHAs from your production branch and says: “Prove to me that every single one of these was reviewed, approved, and linked to a ticket.”

Your heart sinks.

You know you’re about to spend the next four hours of your life doing the most mind-numbing task in tech: opening GitHub, finding the commit, taking a screenshot, finding the PR, taking a screenshot, finding the issue, taking a screenshot, and pasting it all into a PDF.

It’s manual. It’s painful. And it’s a complete waste of engineering time.

So, I built a tool to kill this pain once and for all: GitHub Screenshoter.

How It Works: Automating the Audit Trail

The idea is simple. You give it a list of commit SHAs, and it does the rest.

It talks to the GitHub API, finds the associated Pull Request, extracts the linked issue number from the PR title, and captures visual proof of the entire chain.

But we didn’t just want a simple script.
We wanted something that actually handles the real-world edge cases of compliance.

The Real-World Challenge: Private Repos and Auth

If you’ve ever tried to automate screenshots of GitHub, you know the biggest bottleneck: authentication.

Most tools fail here. They either require you to hardcode session cookies (which is a security nightmare) or they only work on public repos.

We solved this with two distinct modes:

1. Live Mode (--login): You run npm run login. It opens a visible browser, you log in once, and it saves a secure, local session state (auth/github.json). Subsequent runs use this session to capture real, live GitHub pages headlessly. Perfect for private repos.
2. API-Rendered Fallback: What if you’re running this in a clean CI environment where interactive login is impossible? If no session exists, the tool automatically falls back to the GitHub REST API. It fetches the raw commit, PR, and issue data via Octokit, renders a beautiful, local, GitHub-styled HTML page (complete with dark mode CSS), and screenshots that.

Yes — as crazy as it sounds, you get perfect, audit-ready screenshots without ever having to log in interactively.

Built for Speed and Compliance

We didn’t want this to take forever, so we built it with concurrency and caching in mind:

• Parallel Processing: By default, it processes up to 5 commits concurrently using a custom concurrency helper (src/utils/concurrency.ts).
• Smart Caching: It checks output/images/ first. If a screenshot already exists, it skips it. No wasted API calls or browser cycles unless you pass --force.
• Audit-Ready Output: It doesn’t just dump images into a folder. It generates a structured report-data.json for your records, a styled report.html with all screenshots embedded, and—if you pass --createPDF—a print-ready, landscape A4 PDF (report.pdf) that you can hand directly to your auditor.

Running it is as simple as:

npm run report -- commits.json --createPDF

The Uncomfortable Truth About Point-Tools

This tool is a lifesaver. It turns a 4-hour manual headache into a 30-second CLI command.

But let’s be honest.

Point-tools like this only solve one symptom of a larger disease.

Compliance today is broken for SMBs and SaaS startups.
It’s fragmented.
Expensive.
Manual.
And worst of all—reactive.

You shouldn’t have to maintain a suite of custom scripts, CLI tools, and browser automation setups just to prove you are doing what you said you would do.
Most companies treat compliance like documentation. It’s not.

It’s continuous enforcement of controls across your entire environment.

If you are spending your engineering hours writing screenshot scripts, managing API keys, and compiling PDFs for auditors, you are losing focus on what actually matters: building your product and growing your business.

Compliance as a Continuous System

This is exactly why we built Espresso Labs.

We believe compliance shouldn’t be a point-in-time project or a mad scramble before audit day. It should be a continuous, automated service.

The Espresso Labs platform brings IT, cybersecurity, and compliance together into a single intelligent system. It doesn’t just give you checklists—it actually maps and enforces your controls across your entire environment, 24/7.

• Continuous Evidence Collection: Instead of running scripts manually, Espresso Labs automatically collects, stores, and retrieves audit-ready evidence in real time.
• Automated Drift Detection: If a device falls behind on patches, encryption is disabled, or a configuration drifts out of compliance, Espresso detects and remediates it automatically.
• Zero-Friction Audits: When audit day arrives, you don’t scramble. Your compliance record is already living, current, and validated.

Stop wasting engineering hours on manual screenshotting and point-tool juggling.

If you’re preparing for an audit, tired of spreadsheets, or losing deals because of compliance friction, check out how the Espresso Labs platform can make your SOC2 easier.