Continuous security posture for every image you ship.

Turn a digest-pinned SBOM into continuously refreshed, explainable work: what changed, why it changed, what to fix next, and whether a newer tracked digest has fewer relevant findings.

The evidence loop

From SBOM to better decisions

  1. SubmitSBOM

    Pin immutable package inventory to an image digest.

  2. DetectEVENT

    See what changed and whether image inventory, vulnerability data, or tooling caused it.

  3. PrioritizeWORK

    Order work by KEV, fix availability, severity, EPSS, blast radius, and age.

  4. CompareDIGEST

    Inspect exact vulnerability, package, and license differences between releases.

  5. TrendSNAPSHOT

    Track observed vulnerability debt without inventing historical data.

Maintainer decisions

Keep evidence connected to action

What changed, and why?

Follow causal timelines for added, resolved, re-rated, and newly fixable findings. Opt-in browser alerts surface changes without making scan persistence depend on delivery.

What should I fix next?

Use a transparent, deterministic work queue ranked by KEV, fix availability, severity, EPSS, blast radius, and age.

Is the next tracked digest better?

Compare immutable digests conservatively across vulnerabilities, packages, and licenses to see whether a release has fewer relevant findings.

Is my fleet improving?

Track observed fleet posture trends beginning with the first recorded snapshot, then use repository change history to inspect how each tracked image evolves.

Supporting capabilities

Built for real projects

Private images, no registry credentials

Your digest-pinned SBOM crosses the trust boundary; image bytes and registry secrets do not.

Grype and Trivy

Match the same canonical CycloneDX inventory with two isolated scanners and treat agreement as useful metadata, not proof.

License policy and OpenVEX

Review frozen license inventory against your policy and apply OpenVEX suppression as a visible read-time overlay.

Labels that follow the evidence

Attach team or environment labels at submission, then filter tracked images and scope browser alerts.

Tenant-scoped API, CI-native submission

Submit from any pipeline with a dr_ token and use the API reference to retrieve the same tenant-isolated evidence.

Setup

From pipeline to decision in three steps

  1. 1
    Sign in with GitHub or a one-time email link.
  2. 2
    Submit a digest-pinned SBOM with devradarctl or the tenant-scoped API.
  3. 3
    Act in the browser on continuously refreshed changes, work, comparisons, and trends.

An honest note on trust

DevRadar's deterministic contract requires identical SBOM inventory, vulnerability database, scanner version, and canonicalizer version. It preserves clean change causality. DevRadar does not verify that a submitted SBOM faithfully represents the claimed image. Results reflect the submitted evidence.

Start tracking your exposure

Passwordless sign-in with GitHub or a one-time email link.