Know every container running in your cloud.
And every CVE it carries.
HarborGuard inventories container images across every registry you use, watches for drift between what's published and what's actually running, and scores real exposure so your team knows what to fix first.
Coverage at scale
11+
Registries
4
CVE feeds (NVD, OSV, GitHub, CISA KEV)
6
Scanners
10+
Compliance frameworks
What cloud security teams need from a container layer.
Multi-registry inventory
One canonical list of every image, tag, and digest across every registry you operate. No more chasing individual cloud accounts to know what's deployed.
Drift & exposure scoring
Detect when the image in production drifts from what's in your registry. Composite scoring blends severity, KEV status, EPSS, and fix availability.
Continuous CVE Watch
Four advisory feeds aggregated and deduplicated. New criticals against your inventory open prioritized triage runs without waiting for the next scheduled scan.
Every registry. Every cluster. One pane of glass.
Connect Docker Hub, ECR, GCR, ACR, GHCR, GitLab, Harbor, JFrog, Quay, Nexus, and any OCI-compliant registry from a single HarborGuard organization. Inventory, scans, triage, and notifications stay unified — no per-cloud dashboards to context-switch between.
- 11 registry providers including generic OCI
- AWS, Azure, GCP, and on-prem in one org
- Tag pattern include and exclude filters
- Real-time sync and connection health monitoring
- Scheduled and on-push scanning per registry
Know the moment a CVE lands in production.
CVE Watch ingests NVD, OSV, GitHub Security Advisories, and CISA KEV on staggered intervals, matches new advisories against your live inventory, and opens an automatic triage run when a known package becomes exposed. Slack and PagerDuty get the alert before your on-call has to ask.
- 4 advisory feeds aggregated and deduplicated
- Auto-triage on new advisories — no fresh scan required
- KEV-aware severity boost on the triage queue
- Per-org severity threshold and SLA
- Slack, PagerDuty, email, and signed webhook routes
CVE-2024-6197
curl 8.6.0
CVE-2024-5535
openssl 3.2.1
CVE-2024-3596
freeradius 3.0
From scanner output to ranked exposure.
Scanners produce noise. HarborGuard collapses the noise into a per-image exposure score that factors severity, KEV presence, EPSS exploitability, and whether a fix exists. The dashboard sorts your inventory by what your attacker would target first.
- Composite exposure score per image and per workload
- KEV exploitation status surfaced inline
- Fix-availability gating on the triage queue
- Trend lines by registry, team, and namespace
payments-api:2.14.0
2m agoauth-service:1.9.3
14m agoedge-proxy:nightly
1h agoThe container security posture loop, automated.
Registry sync
Continuous discovery and tag tracking across every connected registry, with health monitoring on each connection.
Image drift detection
Catch when a running tag points at a digest that no longer matches what's in the registry of record.
CVE Watch (4 feeds)
NVD, OSV, GitHub Security Advisories, and CISA KEV aggregated, deduplicated, and matched against your inventory.
Severity-aware triage
Composite scoring boosts KEV entries and reachable packages so the queue reflects real exposure, not raw CVSS.
Layer inspection
Inspect every image layer, diff consecutive layers, and identify which layer introduced a vulnerable package.
SBOM & dependency graph
SPDX and CycloneDX SBOMs per image, aggregated into an org-wide dependency graph for impact analysis.
PagerDuty + Slack
Route alerts by severity, registry, or team. Signed webhooks deliver into your SOAR or SIEM of choice.
SAML / OIDC / SCIM
Enterprise SSO with automated user and role provisioning. Immutable audit log captures every change.
Questions from cloud security leaders
How does HarborGuard compare to a full Cloud Security Posture Management (CSPM) platform?
HarborGuard is the deep container layer, not a CSPM replacement. CSPMs are excellent at cloud-account misconfigurations, identity, and network posture across the whole estate. HarborGuard focuses entirely on the image and registry layer: per-image SBOMs, CVE attribution across six scanners, drift between what's in the registry and what's actually running, and automated patched-image rebuilds. Most security teams run both — HarborGuard hands a normalized container feed to their CSPM, SIEM, or compliance hub.
Which registries and clouds are covered?
Eleven registry providers out of the box, including Docker Hub, AWS ECR (all regions), Google GCR / Artifact Registry, Azure ACR, GitHub GHCR, GitLab Container Registry, Harbor, JFrog Artifactory, Quay, Sonatype Nexus, plus any OCI-compliant registry via generic credentials. A single HarborGuard org can connect registries across AWS, Azure, GCP, and on-prem simultaneously — the inventory and triage views unify them.
How quickly are new CVEs reflected in our findings?
CVE Watch polls NVD, OSV, GitHub Security Advisories, and CISA KEV on staggered intervals and writes new advisories to a shared feed table. The next scheduled scan picks them up automatically, and high-severity advisories that match an already-known package trigger automatic triage runs without waiting for a fresh scan. End-to-end you see new criticals against your inventory within minutes, not the next nightly window.
How is exposure scoring calculated?
Exposure starts with the raw CVSS / advisory severity, then layers signal: presence in CISA KEV, whether the affected package is reachable in the image's runtime entrypoint, whether a fixed version exists, and how many images and registries are affected. Triage queues are ordered by the composite score, so engineers see real exposure first rather than a flat severity dump.
Where do scans actually run? Can they stay inside our VPC?
Scans dispatch to a lightweight sensor that runs wherever you put it: HarborGuard's hosted cloud, a Docker host in your own account, or a Kubernetes deployment in a private subnet. The control plane only sees scan results and metadata — image bytes never leave your environment when you self-host the sensor. SSO, audit log, and the dashboard remain in the HarborGuard control plane.