Ship faster. Stop drowning in CVE noise.
HarborGuard moves CVE triage and image patching left, right into the pull request. Six scanners run in parallel on every push, findings are deduplicated and prioritized automatically, and patched images land back in your registry without a Dockerfile change.
Built for engineering velocity
6
Scanners unified
<5 min
CI overhead per scan
10+
Registries supported
100%
Findings deduplicated
Three loops that keep your release train moving.
Automatic CVE triage
Every scan and every new advisory opens a prioritized triage run. Findings are deduplicated across all six scanners, attributed to source, and ranked by severity and SLA. Engineers see what matters; the rest stays out of the queue.
PR-time scanning
GitHub Checks light up on every push. SARIF lands in the security tab, severity thresholds gate merges, and SBOM diffs are attached to the PR so reviewers can see exactly what changed at the package level.
Patched images, no rebuilds
The patch engine rewrites vulnerable layers in place, pushes the patched image back to your registry under a new tag, and re-scans to confirm. No Dockerfile changes, no pipeline rework, no broken caches.
CVE Noise, Eliminated.
Most scanners hand you a wall of CVEs and walk away. HarborGuard's triage engine watches every scan result and every new advisory from NVD, OSV, GitHub, and CISA KEV — then opens prioritized runs against the images you've actually shipped. Engineers work the risks that matter; the false positives never make it to the queue.
- Triggered on scan completion and new CVE alerts
- Configurable severity threshold per org
- SLA deadlines per severity with breach + warning hooks
- False-positive attestations with immutable audit trail
- Deduplication across all six bundled scanners
CVE-2024-6197
curl 8.6.0
CVE-2024-5535
openssl 3.2.1
CVE-2024-3596
freeradius 3.0
Scan on every push. Fail the build that matters.
Wire HarborGuard into GitHub Actions, GitLab CI, CircleCI, or any pipeline that can hit a REST endpoint. Each push fires a scan, six scanners run in parallel against the resulting image, and a single normalized check lands back on the PR. Critical CVEs gate the merge; everything below your threshold becomes a non-blocking annotation.
- GitHub Checks API with severity-gated pass/fail
- SARIF upload to GitHub Code Scanning
- REST + CLI for any other CI system
- Per-repo severity thresholds and exception lists
- SBOM diff posted as a PR comment
Patched images, pushed back to your registry.
When a fix is available upstream, the patch engine rewrites the affected layers, pushes the patched image back under a new tag, and re-scans to confirm the CVEs are gone. No Dockerfile change, no rebuild from your CI, no broken layer cache. The patched tag is ready to deploy by the time the notification hits Slack.
- In-place patching with no Dockerfile rewrite
- Patched images pushed back to the source registry
- Automatic re-scan to confirm CVEs are remediated
- Audit trail per patch operation (source + patched digest)
- Runs in isolated cloud workers — zero CI minutes consumed
Wired into every tool your team already uses.
REST API & CLI
Every action — scan, triage, patch, attest, export — is a single API call or CLI command. Automate without scraping a UI.
Slack notifications
Route scan results, SLA warnings, breach events, and patch confirmations to the channels that own them.
GitHub Checks
Pass/fail checks on every push, SARIF uploads to the security tab, and SBOM diffs as PR comments.
Jira tickets
Open a Jira issue per critical finding, with severity, CVE links, and SLA deadline pre-filled.
SBOM exports
Syft-generated SBOMs in SPDX and CycloneDX. Download per scan or stream to a downstream attestation pipeline.
Layer analysis
Dive-powered layer inspection shows exactly which layer introduced which package — and which CVE.
11+ registries
Docker Hub, ECR, GCR, ACR, GHCR, GitLab, Harbor, JFrog, Quay, Nexus, or any OCI-compliant endpoint.
SSO & RBAC
SAML and OIDC SSO, fine-grained roles, scoped API tokens, and per-action audit logging out of the box.
Questions from DevSecOps teams
How much overhead does HarborGuard add to a CI run?
Under five minutes for a typical mid-sized image. Scans dispatch to isolated cloud workers, so your CI runner only waits on the API round-trip — it doesn't burn build minutes running Trivy, Grype, Syft, Dockle, OSV-Scanner, and Dive in series. The six-scanner sweep runs in parallel on our side and posts a single normalized result back to your check.
How do you keep false positives from blocking the build?
Every finding flows through automatic triage. The platform deduplicates across all six scanners, cross-references NVD, OSV, GitHub Security Advisories, and CISA KEV, and applies your severity threshold before posting a check. False-positive attestations are first-class — once a CVE is attested for an image, it stays suppressed across rebuilds with a full audit trail, and only un-attested findings ever fail a PR.
What languages and OS distros are covered?
Anything the six bundled scanners cover. That means Alpine, Debian, Ubuntu, RHEL/CentOS, Amazon Linux, SUSE, Wolfi, and distroless base images for the OS layer, plus npm, PyPI, Maven, Go modules, RubyGems, Cargo, Composer, NuGet, Pub, and Hex at the application layer. SBOMs are emitted in both SPDX and CycloneDX so downstream tools can consume them too.
How does in-place patching work without a Dockerfile change?
The patch engine reads the SBOM of a finished image, resolves fixed package versions from upstream advisories, and rebuilds the affected layers with patched binaries — no Dockerfile rewrite, no rebuild from your CI. The patched image gets a new tag, is pushed back to the same registry, and is automatically re-scanned to confirm the CVEs are gone. Each patch operation is captured in the audit log with source digest, patched digest, and the list of CVEs fixed.
How is this different from running a scanner inside my pipeline?
A CI-only scanner gives you one tool, one moment in time, and a YAML file to maintain. HarborGuard runs six scanners against every image, keeps watching that image after the build is done (CVE Watch monitors NVD, OSV, GitHub, and CISA KEV), opens triage runs when a new advisory hits a package you've already shipped, tracks SLA deadlines per severity, and offers automated remediation. The PR check is one surface — the platform is the rest.