About
We build the security tool we wished existed.
HarborGuard was built by container teams who'd lived the same problem in production: every scanner finds something different, none of them produce evidence auditors will accept, and patching means hand-rolling base image rebuilds at 2 AM. We built the platform we wanted — one workflow, one source of evidence, one click to ship a patched image.
Our principles
Open source first
Every scanner we ship is open source. The product itself is licensed AGPL-3.0. If you can self-host the open source you can self-audit it.
Evidence over alerts
A scanner that yells about CVEs nobody can fix is worse than no scanner. Findings are useless without context: who introduced the package, when, and what the SLA is. We build for triage, not for noise.
Compliance is a side effect
If you ship containers responsibly, your compliance evidence should be a one-click export, not a six-week project. We treat your SOC 2 and FedRAMP evidence as outputs of normal operation, not a separate audit-prep sprint.
No vendor moat for vulnerabilities
Vulnerability data should not be a paid moat. We ship with NVD, OSV, KEV, and EPSS integrations and never gate severity ratings behind a higher tier.