Know what changed

Submit an SBOM once; DevRadar rescans it every day and records how your container's vulnerabilities change over time — so a new critical shows up as an event, not a surprise.

Three principles

SBOM vs Image

Your CI already produces the SBOM; DevRadar consumes it. No registry access, no credentials, no egress — which is exactly what makes private-registry coverage work: the SBOM crosses the trust boundary, not your secrets.

Change over time

An SBOM is frozen to an image digest, so the only variable day to day is the scanner's vulnerability database. DevRadar keeps an append-only change log — the delta is the product.

Clean causality

Every change is labeled: a new image, new CVE data, or a scanner change. You can always tell why a finding appeared — and never get paged for a tooling upgrade.

DevRadar Features

Daily rescans, two scanners

Every active SBOM is re-scanned with Grype and Trivy. Running two catches cataloger disagreement instead of overfitting to one tool.

Change log & timeline

Added, resolved, re-rated, and fixed events — per image and across every digest of an image over time.

Risk enrichment

EPSS exploit-probability and CISA KEV (known-exploited) overlays surface what to patch first, not just what's critical.

VEX suppression

Upload an OpenVEX document to mark findings not-affected or fixed. Suppressed findings drop out of your counts and lists.

Severity thresholds

Set a per-account floor (default medium) so the noise stays below the line, and override it per request when you need everything.

Image grouping with tags

Tag SBOMs by team or environment at submission and filter your whole fleet by them.

Insight charts

Fleet severity composition, remediation readiness (what's fixable now), and risk-over-time — all server-rendered, no dashboards to configure.

API-first, CI-native

Everything in the UI is also a tenant-scoped REST API. Submit SBOMs with a dr_ token from any pipeline.

How it works

  1. 1
    Sign in with your email — passwordless, no OAuth app to install.
  2. 2
    Mint an API token for your CI pipeline.
  3. 3
    Submit an SBOM pinned to an image digest (POST /v1/sboms). Syft-generated CycloneDX, all layers, is recommended.
  4. 4
    Watch it change — DevRadar rescans daily. Check the dashboard or pull the change log via the API.

Coming soon

Push & email alerts coming soon

Get notified when an image- or DB-driven change crosses your threshold. The event log that powers it is already built in.

AI delta narratives coming soon

Plain-language summaries of what changed and why it matters, generated from the same change events.

An honest note on trust. DevRadar guarantees determinism (the same SBOM and scanner database always produce the same findings) and clean change causality — not the authenticity of the SBOM itself. A wrong or stale SBOM yields wrong results; verifying signed attestations is reserved for a later release.

Start tracking your exposure

Free to start — no password, no credit card.