diff --git a/scripts/audit b/scripts/audit
new file mode 100755
index 0000000..079624d
--- /dev/null
+++ b/scripts/audit
@@ -0,0 +1,26 @@
+#!/bin/bash
+[ -f /.dockerenv ] || { echo "please run in supplied container"; exit 1; }
+set -e; source environment
+
+build_dir="${BUILD_DIR?}"
+audit_dir="${BUILD_DIR?}/audit"
+buildroot_dir="${build_dir}/buildroot"
+heads_dir="${build_dir}/heads"
+
+mkdir -p ${audit_dir}
+
+echo version "${VERSION}"
+openssl sha256 -r ${buildroot_dir}/dl/*/*.tar.* > ${audit_dir}/os_src_hashes.txt
+openssl sha256 -r ${heads_dir}/packages/* > ${audit_dir}/fw_src_hashes.txt
+
+cat ${audit_dir}/os_src_hashes.txt \
+	${audit_dir}/fw_src_hashes.txt \
+	| sed 's/ .*\// /g' \
+	| awk '{ t = $1; $1 = $2; $2 = t; print;}' \
+	| sort \
+	| uniq \
+	> ${audit_dir}/hashes.txt
+
+(cd ${buildroot_dir} && make cpe-info legal-info)
+cp ${buildroot_dir}/output/cpe-manifest.csv ${audit_dir}/cpe-manifest.csv
+cp -R ${buildroot_dir}/output/legal-info ${audit_dir}/legal-info