How does HarborGuard prioritize CVEs automatically?

HarborGuard's automatic CVE triage triggers on two events: scan completion and new CVE advisories from CVE Watch (NVD, OSV, GitHub Security Advisories, and CISA KEV). Each trigger opens a triage run scoped to the affected images, filtered by your org's minimum severity threshold. Teams see an ordered queue of actionable findings rather than a raw list.

Can HarborGuard patch container images automatically?

Yes. HarborGuard patches container images in place without requiring a Dockerfile rewrite or CI pipeline change. The patch worker dispatches an isolated cloud job that applies OS-level fixes and pushes the patched image back to your registry. Full audit trail and patch status are tracked per operation.

What patching backends does HarborGuard support?

HarborGuard can apply CVE fixes at the OS package layer without a full image rebuild.

What is the difference between scanning and automatic triage?

Scanning surfaces all CVEs present in an image. Automatic CVE triage goes further: it correlates findings against live advisory feeds, applies severity filtering, and opens prioritized triage runs with SLA deadlines so engineers know exactly what to fix first and by when.

Does automatic patching push the result back to my registry?

Yes. After patching the image, HarborGuard pushes the patched image directly to your configured registry. The target tag is tracked in the patch operation record alongside the original source image reference.

Automatic CVE Triage & Image Patching

Triage CVEs Automatically.
Ship Patched Images.

HarborGuard goes beyond scanning. Automatic CVE triage surfaces what actually needs action, and automatic container image patching ships a fixed image without a full rebuild — all behind one dashboard.

AUTO CVE TRIAGE

IMAGE PATCHING

VULNERABILITY SCANNING

COMPLIANCE REPORTING

Compliance Frameworks

SOC 2 Type IIPCI-DSS v4.0NIST SP 800-53 Rev 5HIPAA Security RuleFedRAMP ModerateISO/IEC 27001:2022CMMC Level 2CIS Docker BenchmarkSOC 2 Type IIPCI-DSS v4.0NIST SP 800-53 Rev 5HIPAA Security RuleFedRAMP ModerateISO/IEC 27001:2022CMMC Level 2CIS Docker Benchmark

AUTOMATIC CVE TRIAGE

CVE Noise, Eliminated.

Most scanners hand you a list and walk away. HarborGuard's automatic CVE triage watches every scan and every new CVE advisory, then opens prioritized triage runs so your team works the risks that matter — not the ones that don't.

Auto-triage triggered on scan completion and new CVE alerts
Configurable minimum severity threshold per org
SLA tracking with breach notifications
False-positive attestations with immutable audit trail
CVE Watch monitors NVD, OSV, GitHub, and CISA KEV

Deep dive: Automated CVE Triage

Auto-Triage Run

CVE-2024-6197

curl 8.6.0

OPEN — SLA 3d

CVE-2024-5535

openssl 3.2.1

OPEN — SLA 7d

CVE-2024-3596

freeradius 3.0

ATTESTED FP

Triggered by CVE Watch · scan_auto

Patch Operation

Source imagemyapp:v1.4.2

Patched imagemyapp:v1.4.2-patched

CVEs fixed4 critical / 7 high

StatusSUCCESS

AUTOMATIC IMAGE PATCHING

Fix the Image. Skip the Rebuild.

HarborGuard patches container images in place — no Dockerfile rewrite, no CI pipeline change. The patched image is pushed back to your registry ready to deploy.

Patches pushed directly to your registry
Cloud-dispatch: runs in an isolated ephemeral cloud worker
Full audit trail per patch operation

Deep dive: Container Image Patching

DEEP SCANNING

Six Scanners. One Workflow.

Run Trivy, Grype, Syft, Dockle, OSV-Scanner, and Dive against any image from any registry. HarborGuard deduplicates findings across scanners and attributes each CVE to the tool that found it.

Trivy + Grype vulnerability detection
Syft SBOM generation (SPDX & CycloneDX)
Dockle CIS benchmark grading
Dive layer-by-layer image inspection
OSV open-source vulnerability matching

Deep dive: Container Vulnerability Scanning

Scan Results

CVE-2024-6197openssl

Critical

CVE-2024-5535openssl

High

CVE-2024-3596openssl

Medium

Trivy: 12 findingsGrype: 9 findings3 unique

Connected Registries

Docker Hub

Connected

AWS ECR

Connected

GitHub GHCR

Connected

Harbor

Connected

Azure ACR

Connected

+ 6 more supported providers

REGISTRY SUPPORT

Every Registry. One Pane of Glass.

Connect Docker Hub, ECR, GCR, ACR, GHCR, GitLab, Harbor, JFrog, Quay, Nexus, or any OCI-compliant registry. Schedule scans, filter by tag patterns, and monitor sync health.

11 registry providers including custom OCI
Scheduled and on-push scanning
Tag pattern filtering (include/exclude)
Real-time sync and connection health

CVE INTELLIGENCE

Monitor. Auto-Triage. Attest.

CVE Watch continuously monitors NVD, OSV, GitHub Security Advisories, and CISA KEV for new vulnerabilities affecting your packages. When a match is found, automatic CVE triage opens a prioritized run — no manual queue-building required.

4 CVE sources aggregated and deduplicated
Automatic CVE triage on new advisories
SLA tracking with breach notifications
False-positive attestations with audit trail

CVE Watch Alerts

CVE-2024-6197

curl 8.6.0

CRITICAL

CVE-2024-5535

openssl 3.2.1

HIGH

CVE-2024-3596

freeradius 3.0

HIGH

Slack + PagerDuty notified

Compliance Frameworks

SOC 2 Type II

PCI-DSS v4.0

NIST SP 800-53 Rev 5

HIPAA Security Rule

FedRAMP Moderate

ISO/IEC 27001:2022

CMMC Level 2

CIS Docker Benchmark

+ Custom framework support

COMPLIANCE ENGINE

Audit-Ready Evidence. Always.

Generate control-mapped compliance packs for SOC 2, PCI-DSS, NIST 800-53, HIPAA Security Rule, FedRAMP Moderate, ISO 27001, CMMC, and CIS Docker Benchmark. Build custom reports with the visual report builder, schedule recurring generation, and export evidence packs on demand.

10 compliance frameworks out of the box
Visual report builder with custom sections
SLA tracking and MTTR metrics
Immutable audit log for every action
Scheduled report generation

Deep dive: Compliance Audit Engine

BUILT FOR TEAMS

Enterprise-Grade from Day One

RBAC & Teams

Owner, admin, developer, auditor, and viewer roles. Organize members into teams scoped to specific registries.

SSO & SCIM

SAML, OIDC, and LDAP single sign-on. SCIM provisioning with automated role mapping from your identity provider.

Notifications

Route alerts to Slack, email, PagerDuty, or custom webhooks. Configure per-severity thresholds and digest schedules.

API & CI/CD

Full REST API with scoped API keys and personal access tokens. Trigger scans from your CI pipeline.

SBOM & Dependencies

Aggregate SBOMs across all images. Track package versions, licenses, and vulnerability exposure in one view.

Layer Analysis

Inspect image layers, compare consecutive layer diffs, and identify which layer introduced a vulnerability.

Dashboard & Metrics

Customizable dashboard with compliance posture, severity trends, scan coverage, and mean-time-to-remediate KPIs.

Cloud Sensors

Deploy lightweight scan sensors via Docker or Kubernetes. Scans run in your infrastructure, results report back.

PRICING

Open Source Core. Enterprise Scale.

Open Source

Free

Self-hosted, full scanner suite

All 6 security scanners
Vulnerability dashboard
SBOM generation
Layer analysis
Community support
AGPL-3.0 License

Enterprise

Custom

Managed platform for organizations

Everything in Open Source
Automatic CVE triage + SLA tracking
Automatic image patching
10 compliance frameworks
CVE Watch with real-time alerting
SSO / SAML / SCIM
RBAC & team management
Priority support & SLA

harborguard

Continuous container security and vulnerability management for teams that ship containers.

Product

Features Compliance Pricing Documentation

Open Source

GitHub Repository Report an Issue License (AGPL-3.0)

Triage CVEs Automatically. Ship Patched Images.

CVE Noise, Eliminated.

Fix the Image. Skip the Rebuild.

Six Scanners. One Workflow.

Every Registry. One Pane of Glass.

Monitor. Auto-Triage. Attest.

Audit-Ready Evidence. Always.

Enterprise-Grade from Day One

RBAC & Teams

SSO & SCIM

Notifications

API & CI/CD

SBOM & Dependencies

Layer Analysis

Dashboard & Metrics

Cloud Sensors

Open Source Core. Enterprise Scale.

Open Source

Enterprise

Triage CVEs Automatically.
Ship Patched Images.