Open-source Kubernetes SBOM scanner. Star us on GitHub

Real-time software supply chain
visibility for Kubernetes

Every time a pod starts, StackRadar scans it and generates an SBOM — a complete inventory of every package and library inside the container. New vulnerabilities surface in your dashboard. No manual scans. No blind spots between deploys.

Open-source scannerTransparent CycloneDX SBOMs300K+ CVEs from Google's OSV.devNo credit card required
Quick StartGet your credentials from the dashboard after creating an account.
bash
# 1. Export your credentials
$ export STACKRADAR_API_KEY=<your-api-key>$ export STACKRADAR_CLUSTER_ID=<your-cluster-id>
# 2. Install the Helm chart from OCI registry
$ helm install stackradar-scanner \
    oci://ghcr.io/lockdep/charts/stackradar-scanner \
    --namespace stackradar --create-namespace \
    --set stackradar.apiKey=$STACKRADAR_API_KEY \
    --set stackradar.clusterId=$STACKRADAR_CLUSTER_ID

How it works

From helm install to full cluster visibility

YOUR CLUSTERSSTACKRADAR CLOUDYOUR BROWSERK8sPodPodPodStackRadar ScannerK8sPodPodPodStackRadar ScannerSBOMsStackRadarapi.stackradar.ioOSV mirror · 300K+ CVEsfindingsapp.stackradar.ioStackRadarlivenginx / nginx:1.243 critpayments / node:1812 highgateway / go:1.222 highredis:7-alpinepostgres:165 high

Only the SBOM (CycloneDX JSON) crosses the line — your container images and source code never leave the cluster.

1

Install the scanner

Deploy the StackRadar Helm chart into your Kubernetes cluster. One command, works on EKS, GKE, AKS, or any conformant cluster.

scanner online — sweeping cluster

2

Workloads are discovered in real time

The scanner deploys as a long-running Kubernetes agent that watches your cluster for pod changes. New or updated images are detected instantly and queued for scanning — no waiting for a scheduled run.

pod detected — nginx:1.24 queued for scan

3

SBOMs are generated

Every container image — including init containers — is analyzed with Syft inside your cluster to produce a CycloneDX SBOM: a software bill of materials, the ingredient list of the image. OS packages, libraries, runtimes, and transitive dependencies are all captured — and only that inventory is uploaded to StackRadar.

sbom.json uploaded — 214 components, 38 KB

4

Vulnerabilities surface

Components are matched against 300K+ known CVEs from OSV.dev — the open vulnerability database run by Google, aggregating advisories from npm, PyPI, Go, Maven, Linux distros, and more. StackRadar keeps a continuously synced mirror, so your workloads are re-checked as new advisories land — without rescanning images. You see results per workload with severity scores and fix versions.

3 critical found — fix versions available

Supply chain security

Signed images

Every release is signed with Sigstore Cosign. Verify before you install.

Digest-pinned

The chart ships with the exact sha256 digest of the image — tag mutation cannot swap what you install.

SLSA provenance

Built in GitHub Actions with provenance attestations stored in GHCR.

The difference

Not another heavy security platform

Enterprise container security tools weren't designed for teams that want fast, focused vulnerability visibility without the complexity.

StackRadar
Enterprise tools
Setup time
helm install — 5 minutes
Weeks of setup + agents
Scanner
Open-source, runs in your cluster
Proprietary, opaque agents
Vulnerability data
Open OSV.dev — every finding verifiable
Proprietary database, black box
Data stays private
Only SBOMs leave your cluster
Full image access required
Pricing
Free tier + transparent plans
Per-node pricing, call sales
Complexity
One Helm chart, one dashboard
Multiple tools to configure

Simple pricing

Pay for clusters, not surprises

The scanner is free and open-source. You pay only for the managed dashboard. Start free, upgrade when you need more.

Free

$0

For individuals evaluating or running a single cluster.

  • 1 cluster
  • Scan up to 50 unique images /month
  • Vulnerability scanning
  • Dashboard access
  • Community support
Start free

No credit card required

Recommended

Pro

$39/month

For engineers running production workloads who need full visibility.

  • Up to 5 clusters
  • Scan up to 1000 unique images /month
  • Vulnerability scanning
  • Dashboard access
  • 1 year scan history
  • Priority support
Get started

Need more? Contact us for custom Enterprise pricing.

FAQ

Common questions

What is an SBOM?
An SBOM — Software Bill of Materials — is an inventory of everything inside a container image: OS packages, language libraries, runtimes, their exact versions, and licenses. Think of it as the ingredient list on food packaging, but for software. Just as important is what an SBOM is not: it contains no source code, no secrets, no environment variables, and none of the image contents themselves — only names and versions. That is why uploading an SBOM to StackRadar for vulnerability matching is safe: it describes what your software is made of without revealing the software itself.
How does the scanner work?
The StackRadar scanner is deployed as a Kubernetes Deployment via a Helm chart. It runs as a long-lived agent that watches your cluster for pod changes in real time — when new or updated images are detected, they are scanned immediately. A full cluster sweep runs every 6 hours by default to catch anything missed. Images are analyzed with Syft to generate CycloneDX SBOMs, which are uploaded to the StackRadar API. Vulnerabilities are then matched server-side against the OSV database.
Where does the vulnerability data come from?
From OSV.dev — the open vulnerability database run by Google under the OpenSSF. It aggregates GitHub Security Advisories, Linux distribution security trackers (Debian, Alpine, Ubuntu, and others), and ecosystem advisories for npm, PyPI, Go, Maven, RubyGems, crates.io, and more. StackRadar maintains a continuously synced mirror of 300K+ advisories and matches your SBOMs against it server-side. Because the data is open, there is no black box: every finding links to its public advisory, and you can verify any result yourself on osv.dev.
Does my image data leave the cluster?
The scanner runs inside your cluster and only sends SBOMs (dependency metadata) to StackRadar. Your actual container images and source code never leave your network. The SBOMs contain package names, versions, and licenses — no proprietary code.
Which Kubernetes distributions are supported?
The scanner works on any standard Kubernetes cluster — EKS, GKE, AKS, DigitalOcean Kubernetes, k3s, kind, and self-managed clusters. It uses the standard Kubernetes API and requires only read access to list pods and workloads.
Is the scanner open-source?
Yes. The Helm chart and scanner application are fully open-source. You can inspect the code, modify it, and contribute back. The managed dashboard (where vulnerabilities are displayed and tracked) is the paid service.
Does it support private container registries?
Yes. The scanner automatically reads imagePullSecrets from your pod specs and uses those credentials when pulling images for SBOM generation. This works with any OCI-compliant registry — ECR, GCR, Docker Hub private repos, GitHub Container Registry, and self-hosted registries.
How often does it scan?
The scanner works in two complementary modes: it watches for pod events in real time so new or updated images are scanned as soon as they appear, and it performs a full cluster sweep every 6 hours to ensure nothing is missed. Both intervals are configurable via Helm values. You can also filter which namespaces are scanned using include or exclude lists.
Can I cancel anytime?
Yes. No contracts, no commitments. Cancel from your dashboard with one click. You'll keep access until the end of your billing period. The scanner itself is free and will continue to run in your cluster.