Introduction
HarborGuard is a container security platform built around six open-source scanners (Trivy, Grype, Syft, Dockle, OSV-Scanner, Dive) running behind a single ingestion and triage pipeline. Findings from every engine are deduplicated into a single vulnerability row with per-engine attribution preserved, then routed through structured triage states, SLA timers, and compliance evidence packs.
What HarborGuard does
| Capability | What it means in practice |
|---|---|
| Multi-engine scanning | Each scan can run any subset of trivy, grype, syft, dockle, osv, dive. |
| Cross-scanner dedup | Same CVE reported by multiple engines becomes one finding with a sources array. |
| Triage state machine | Open -> Acknowledged -> In Progress -> Fixed / Wont Fix. |
| SLA tracking | Per-severity remediation deadlines, computed independently from the A-D grade. |
| Compliance packs | Evidence exports for SOC 2, PCI-DSS, HIPAA, ISO 27001, NIST 800-53. |
| Sensor model | On-prem agents poll for jobs and ship results back so images never leave your network. |
| API + CI/CD | POST /api/scans with an API key; gate deploys on the returned grade. |
Who it is for
- DevSecOps and platform teams who need a single source of truth across many registries instead of one CLI per scanner.
- Compliance and audit teams who need exportable evidence with stable mappings to controls.
- Security engineers doing day-to-day triage who need a real workflow on top of raw scanner JSON.
Where to go next
Quickstart
Sign up, connect Docker Hub, and run your first scan in minutes.
Core Concepts
Terminology used everywhere else in the HarborGuard documentation.
How Scanning Works
Architecture of the multi-engine scan pipeline end to end.
Sensor Architecture
Run scans on your own infrastructure without sending image bytes.