HarborGuard 1.0 — six scanners, automatic patching, ten compliance frameworks

Why we built HarborGuard

Every container security tool we tried had the same shape: it told you about CVEs and stopped. Triaging them, deciding what to patch, building evidence for an audit, regressing on a patched image — those were always our problem to solve outside the tool.

So we built the platform we wanted: six bundled scanners, deduplicated findings, automatic patching, SLA tracking, and ten compliance frameworks ready to export. All of it open source.

What's in the launch

• Six scanners, one finding. Trivy, Grype, Syft, Dockle, OSV-Scanner, and Dive run against every scan. Same CVE reported by three engines becomes one finding with each engine's attribution preserved.
• Patching, not just reporting. Vulnerable base images can be rebuilt automatically with Buildah or Copa, signed, and re-scanned to confirm the fix.
• SLA tracking built in. Per-severity remediation deadlines fire warning notifications 24 hours before breach and breach notifications at the deadline. Every Slack, PagerDuty, webhook, and email channel is supported.
• Ten compliance frameworks. SOC 2, PCI-DSS, NIST 800-53, ISO 27001, FedRAMP, HIPAA, CMMC, CIS Docker, NIST 800-190, NIST 800-171. Reports are generated on demand from continuously collected evidence.
• Self-hostable. AGPL-3.0. Run it on Fly.io, Kubernetes, or any Docker host. Same code as the SaaS at harborguard.co.

What's next

The next milestones on our public roadmap:

1. Attestations (in-toto, Sigstore) on patched images.
2. Reachability scoring — does the vulnerable function actually run?
3. Container drift detection in CI for golden-base-image programs.

Star the repo and drop us a note if you want any of those moved up the queue.