Continuous security posture for every image you ship.
Turn a digest-pinned SBOM into continuously refreshed, explainable work: what changed, why it changed, what to fix next, and whether a newer tracked digest has fewer relevant findings.
Enter your email and we'll send you a one-time sign-in link — no password.
Once authenticated you can mint an API token to interact with the DevRadar.
The evidence loop
From SBOM to better decisions
- Submit
SBOMPin immutable package inventory to an image digest.
- Detect
EVENTSee what changed and whether image inventory, vulnerability data, or tooling caused it.
- Prioritize
WORKOrder work by KEV, fix availability, severity, EPSS, blast radius, and age.
- Compare
DIGESTInspect exact vulnerability, package, and license differences between releases.
- Trend
SNAPSHOTTrack observed vulnerability debt without inventing historical data.
Maintainer decisions
Keep evidence connected to action
What changed, and why?
Follow causal timelines for added, resolved, re-rated, and newly fixable findings. Opt-in browser alerts surface changes without making scan persistence depend on delivery.
What should I fix next?
Use a transparent, deterministic work queue ranked by KEV, fix availability, severity, EPSS, blast radius, and age.
Is the next tracked digest better?
Compare immutable digests conservatively across vulnerabilities, packages, and licenses to see whether a release has fewer relevant findings.
Is my fleet improving?
Track observed fleet posture trends beginning with the first recorded snapshot, then use repository change history to inspect how each tracked image evolves.
Supporting capabilities
Built for real projects
Private images, no registry credentials
Your digest-pinned SBOM crosses the trust boundary; image bytes and registry secrets do not.
Grype and Trivy
Match the same canonical CycloneDX inventory with two isolated scanners and treat agreement as useful metadata, not proof.
License policy and OpenVEX
Review frozen license inventory against your policy and apply OpenVEX suppression as a visible read-time overlay.
Labels that follow the evidence
Attach team or environment labels at submission, then filter tracked images and scope browser alerts.
Tenant-scoped API, CI-native submission
Submit from any pipeline with a dr_ token and use the API reference to retrieve the same tenant-isolated evidence.
Setup
From pipeline to decision in three steps
- 1Sign in with GitHub or a one-time email link.
- 2Submit a digest-pinned SBOM with
devradarctlor the tenant-scoped API. - 3Act in the browser on continuously refreshed changes, work, comparisons, and trends.
An honest note on trust
DevRadar's deterministic contract requires identical SBOM inventory, vulnerability database, scanner version, and canonicalizer version. It preserves clean change causality. DevRadar does not verify that a submitted SBOM faithfully represents the claimed image. Results reflect the submitted evidence.
Start tracking your exposure
Passwordless sign-in with GitHub or a one-time email link.