Every time a pod starts, StackRadar scans it and generates an SBOM — a complete inventory of every package and library inside the container. New vulnerabilities surface in your dashboard. No manual scans. No blind spots between deploys.
# 1. Export your credentials
$ export STACKRADAR_API_KEY=<your-api-key>$ export STACKRADAR_CLUSTER_ID=<your-cluster-id>
# 2. Install the Helm chart from OCI registry
$ helm install stackradar-scanner \
oci://ghcr.io/lockdep/charts/stackradar-scanner \
--namespace stackradar --create-namespace \
--set stackradar.apiKey=$STACKRADAR_API_KEY \
--set stackradar.clusterId=$STACKRADAR_CLUSTER_IDFrom helm install to full cluster visibility
Only the SBOM (CycloneDX JSON) crosses the line — your container images and source code never leave the cluster.
Deploy the StackRadar Helm chart into your Kubernetes cluster. One command, works on EKS, GKE, AKS, or any conformant cluster.
▸ scanner online — sweeping cluster
The scanner deploys as a long-running Kubernetes agent that watches your cluster for pod changes. New or updated images are detected instantly and queued for scanning — no waiting for a scheduled run.
▸ pod detected — nginx:1.24 queued for scan
Every container image — including init containers — is analyzed with Syft inside your cluster to produce a CycloneDX SBOM: a software bill of materials, the ingredient list of the image. OS packages, libraries, runtimes, and transitive dependencies are all captured — and only that inventory is uploaded to StackRadar.
▸ sbom.json uploaded — 214 components, 38 KB
Components are matched against 300K+ known CVEs from OSV.dev — the open vulnerability database run by Google, aggregating advisories from npm, PyPI, Go, Maven, Linux distros, and more. StackRadar keeps a continuously synced mirror, so your workloads are re-checked as new advisories land — without rescanning images. You see results per workload with severity scores and fix versions.
▸ 3 critical found — fix versions available
Supply chain security
Signed images
Every release is signed with Sigstore Cosign. Verify before you install.
Digest-pinned
The chart ships with the exact sha256 digest of the image — tag mutation cannot swap what you install.
SLSA provenance
Built in GitHub Actions with provenance attestations stored in GHCR.
Not another heavy security platform
Enterprise container security tools weren't designed for teams that want fast, focused vulnerability visibility without the complexity.
Pay for clusters, not surprises
The scanner is free and open-source. You pay only for the managed dashboard. Start free, upgrade when you need more.
$0
For individuals evaluating or running a single cluster.
No credit card required
$39/month
For engineers running production workloads who need full visibility.
Need more? Contact us for custom Enterprise pricing.
Common questions