Open-source Kubernetes SBOM scanner. Star us on GitHub
Open-source scanner

Real-time software supply chain
visibility for Kubernetes

Every time a pod starts, StackRadar scans it, generates an SBOM, and surfaces new vulnerabilities in your dashboard. No manual scans. No blind spots between deploys.

Start for freeView on GitHub
Open-source scannerTransparent CycloneDX SBOMs300K+ CVEs from OSVNo credit card required
Quick StartGet your credentials from the dashboard after creating an account.
bash
# 1. Export your credentials
$ export STACKRADAR_API_KEY=<your-api-key>$ export STACKRADAR_CLUSTER_ID=<your-cluster-id>
# 2. Install the Helm chart from OCI registry
$ helm install stackradar-scanner \
    oci://ghcr.io/lockdep/charts/stackradar-scanner \
    --namespace stackradar --create-namespace \
    --set stackradar.apiKey=$STACKRADAR_API_KEY \
    --set stackradar.clusterId=$STACKRADAR_CLUSTER_ID
View on Artifact Hub

How it works

From helm install to full cluster visibility

K8sPodPodPodStackRadar ScannerK8sPodPodPodStackRadar ScannerStackRadarapi.stackradar.ioapp.stackradar.ioStackRadarnginx / nginx:1.243 critpayments / node:1812 highgateway / go:1.222 highredis:7-alpinepostgres:165 high
1

Install the scanner

Deploy the StackRadar Helm chart into your Kubernetes cluster. One command, works on EKS, GKE, AKS, or any conformant cluster.

2

Workloads are discovered in real time

The scanner deploys as a long-running Kubernetes agent that watches your cluster for pod changes. New or updated images are detected instantly and queued for scanning — no waiting for a scheduled run.

3

SBOMs are generated

Every container image — including init containers — is analyzed with Syft to produce a full CycloneDX SBOM. OS packages, libraries, runtimes, and transitive dependencies are all captured.

4

Vulnerabilities surface

Components are matched against 300K+ known CVEs from the OSV database. You see results per workload with severity scores and fix versions.

GitHubView the open-source scannerHelm ChartBrowse configuration optionsContainer ImagePull from GitHub Container Registry

Supply chain security

Signed images

Every release is signed with Sigstore Cosign. Verify before you install.

Digest-pinned

The chart ships with the exact sha256 digest of the image — tag mutation cannot swap what you install.

SLSA provenance

Built in GitHub Actions with provenance attestations stored in GHCR.

Simple pricing

Pay for clusters, not surprises

The scanner is free and open-source. You pay only for the managed dashboard. Start free, upgrade when you need more.

Free

$0

For individuals evaluating or running a single cluster.

  • 1 cluster
  • Scan up to 50 unique images /month
  • Vulnerability scanning
  • Dashboard access
  • Community support
Start free

No credit card required

Recommended

Pro

$39/month

For engineers running production workloads who need full visibility.

  • Up to 5 clusters
  • Scan up to 1000 unique images /month
  • Vulnerability scanning
  • Dashboard access
  • 1 year scan history
  • Priority support
Get started

Need more? Contact us for custom Enterprise pricing.

FAQ

Common questions

How does the scanner work?
The StackRadar scanner is deployed as a Kubernetes Deployment via a Helm chart. It runs as a long-lived agent that watches your cluster for pod changes in real time — when new or updated images are detected, they are scanned immediately. A full cluster sweep runs every 6 hours by default to catch anything missed. Images are analyzed with Syft to generate CycloneDX SBOMs, which are uploaded to the StackRadar API. Vulnerabilities are then matched server-side against the OSV database.
Does my image data leave the cluster?
The scanner runs inside your cluster and only sends SBOMs (dependency metadata) to StackRadar. Your actual container images and source code never leave your network. The SBOMs contain package names, versions, and licenses — no proprietary code.
Which Kubernetes distributions are supported?
The scanner works on any standard Kubernetes cluster — EKS, GKE, AKS, DigitalOcean Kubernetes, k3s, kind, and self-managed clusters. It uses the standard Kubernetes API and requires only read access to list pods and workloads.
Is the scanner open-source?
Yes. The Helm chart and scanner application are fully open-source. You can inspect the code, modify it, and contribute back. The managed dashboard (where vulnerabilities are displayed and tracked) is the paid service.
Does it support private container registries?
Yes. The scanner automatically reads imagePullSecrets from your pod specs and uses those credentials when pulling images for SBOM generation. This works with any OCI-compliant registry — ECR, GCR, Docker Hub private repos, GitHub Container Registry, and self-hosted registries.
How often does it scan?
The scanner works in two complementary modes: it watches for pod events in real time so new or updated images are scanned as soon as they appear, and it performs a full cluster sweep every 6 hours to ensure nothing is missed. Both intervals are configurable via Helm values. You can also filter which namespaces are scanned using include or exclude lists.
Can I cancel anytime?
Yes. No contracts, no commitments. Cancel from your dashboard with one click. You'll keep access until the end of your billing period. The scanner itself is free and will continue to run in your cluster.