Continuous vulnerability scanning
for your Kubernetes clusters

Deploy our Helm chart into any cluster. It scans running container images, generates SBOMs, and surfaces known vulnerabilities in a managed dashboard — giving you ongoing visibility into what's exposed.

Get API keyView install docs
Helm ChartArtifact HubContainer Image
Terminal
# Add the StackRadar Helm repo

$ helm repo add stackradar https://charts.stackradar.io


# Install the scanner into your cluster

$ helm install stackradar-scanner \
    stackradar/stackradar-scanner \
    --set stackradar.apiKey=$API_KEY

$

Deploy the StackRadar scanner

Helm install into any Kubernetes cluster.

Scanner auto-discovers workloads

Generates SBOMs periodically from running images, and sends them to StackRadar

See vulnerabilities in the dashboard

Track dependencies and their vulnerabilities in the dashboard

Complete visibility into your cluster's software supply chain

See every container image, every dependency, and every vulnerability — organized by namespace and workload, exactly how you think about your infrastructure.

app.stackradar.io

Projects

Updated 2 min ago
NameVersionLast BOM importedVulnerabilities
monitoring
namespace
0Critical2High4Medium3Low
production
namespace
3Critical10High24Medium16Low
api-gateway
Deployment
node:22-slim2 hours ago1Critical4High9Medium6Low
redis
StatefulSet
redis:7.2-alpine2 hours ago0Critical1High3Medium2Low
user-service
Deployment
python:3.12-slim2 hours ago2Critical5High12Medium8Low
staging
namespace
0Critical2High5Medium3Low
Total3Critical14High33Medium22Low

See critical vulnerabilities across all namespaces at a glance — no digging through logs or CLI output.

How it works

From helm install to full cluster visibility

1

Install the scanner

Deploy the StackRadar Helm chart into your Kubernetes cluster. One command, works on EKS, GKE, AKS, or any conformant cluster.

2

Workloads are discovered

The scanner runs as a CronJob and automatically finds every Deployment, StatefulSet, DaemonSet, and CronJob across all namespaces.

3

SBOMs are generated

Each container image is analyzed with Syft to produce a full CycloneDX SBOM — OS packages, libraries, and runtimes included.

4

Vulnerabilities surface

Components are matched against 300K+ known CVEs from the OSV database. You see results per workload with severity scores and fix versions.

Simple pricing

Pay for clusters, not surprises

The scanner is free and open-source. You pay only for the managed dashboard. Start free, upgrade when you need more.

Starter

$0

For individuals and small clusters. Get started with no commitment.

  • 1 cluster
  • Up to 25 workloads
  • Vulnerability scanning every 12h
  • Dashboard access
  • Community support
Start free
Most popular

Pro

$49/month

For teams running production workloads that need continuous visibility.

  • Up to 5 clusters
  • Unlimited workloads
  • Scanning every 6h (configurable)
  • Vulnerability alerts
  • Full SBOM exports (CycloneDX)
  • API access
  • Email support
Start 14-day free trial

Team

$149/month

For organizations managing multiple clusters with team collaboration.

  • Unlimited clusters
  • Unlimited workloads
  • Custom scan schedules
  • Up to 15 team members
  • Role-based access control
  • Audit logs
  • Priority support
Start 14-day free trial

Need more? Contact us for custom Enterprise pricing.

FAQ

Common questions

How does the scanner work?
The StackRadar scanner is deployed as a Kubernetes CronJob via a Helm chart. On each run, it discovers all Deployments, StatefulSets, DaemonSets, and CronJobs in your cluster, pulls their container images through Syft to generate CycloneDX SBOMs, and uploads those SBOMs to the StackRadar API. Vulnerabilities are then matched server-side against the OSV database.
Does my image data leave the cluster?
The scanner runs inside your cluster and only sends SBOMs (dependency metadata) to StackRadar. Your actual container images and source code never leave your network. The SBOMs contain package names, versions, and licenses — no proprietary code.
Which Kubernetes distributions are supported?
The scanner works on any standard Kubernetes cluster — EKS, GKE, AKS, DigitalOcean Kubernetes, k3s, kind, and self-managed clusters. It uses the standard Kubernetes API and requires only read access to list pods and workloads.
Is the scanner open-source?
Yes. The Helm chart and scanner application are fully open-source. You can inspect the code, modify it, and contribute back. The managed dashboard (where vulnerabilities are displayed and tracked) is the paid service.
How often does it scan?
By default, the scanner runs every 6 hours. You can customize the schedule via the Helm chart values (any valid cron expression). You can also exclude or include specific namespaces.
Can I cancel anytime?
Yes. No contracts, no commitments. Cancel from your dashboard with one click. You'll keep access until the end of your billing period. The scanner itself is free and will continue to run in your cluster.