Know what changed
Submit an SBOM once; DevRadar rescans it every day and records how your container's vulnerabilities change over time — so a new critical shows up as an event, not a surprise.
Enter your email and we'll send you a one-time sign-in link — no password.
Once authenticated you can mint an API token to interact with the DevRadar.
Three principles
SBOM vs Image
Your CI already produces the SBOM; DevRadar consumes it. No registry access, no credentials, no egress — which is exactly what makes private-registry coverage work: the SBOM crosses the trust boundary, not your secrets.
Change over time
An SBOM is frozen to an image digest, so the only variable day to day is the scanner's vulnerability database. DevRadar keeps an append-only change log — the delta is the product.
Clean causality
Every change is labeled: a new image, new CVE data, or a scanner change. You can always tell why a finding appeared — and never get paged for a tooling upgrade.
DevRadar Features
Daily rescans, two scanners
Every active SBOM is re-scanned with Grype and Trivy. Running two catches cataloger disagreement instead of overfitting to one tool.
Change log & timeline
Added, resolved, re-rated, and fixed events — per image and across every digest of an image over time.
Risk enrichment
EPSS exploit-probability and CISA KEV (known-exploited) overlays surface what to patch first, not just what's critical.
VEX suppression
Upload an OpenVEX document to mark findings not-affected or fixed. Suppressed findings drop out of your counts and lists.
Severity thresholds
Set a per-account floor (default medium) so the noise stays below the line, and override it per request when you need everything.
Image grouping with tags
Tag SBOMs by team or environment at submission and filter your whole fleet by them.
Insight charts
Fleet severity composition, remediation readiness (what's fixable now), and risk-over-time — all server-rendered, no dashboards to configure.
API-first, CI-native
Everything in the UI is also a tenant-scoped REST API. Submit SBOMs with a dr_ token from any pipeline.
How it works
- 1Sign in with your email — passwordless, no OAuth app to install.
- 2Mint an API token for your CI pipeline.
- 3Submit an SBOM pinned to an image digest (
POST /v1/sboms). Syft-generated CycloneDX, all layers, is recommended. - 4Watch it change — DevRadar rescans daily. Check the dashboard or pull the change log via the API.
Coming soon
Push & email alerts coming soon
Get notified when an image- or DB-driven change crosses your threshold. The event log that powers it is already built in.
AI delta narratives coming soon
Plain-language summaries of what changed and why it matters, generated from the same change events.
An honest note on trust. DevRadar guarantees determinism (the same SBOM and scanner database always produce the same findings) and clean change causality — not the authenticity of the SBOM itself. A wrong or stale SBOM yields wrong results; verifying signed attestations is reserved for a later release.
Start tracking your exposure
Free to start — no password, no credit card.