Quickstart

Create an account

Sign up at harborguard.co. The first user becomes the owner of a fresh organization. Invite teammates from Settings -> Members once you are in.

Connect a registry

Go to Dashboard -> Registries -> Add Registry, pick Docker Hub, and enter:

Credentials are encrypted at rest with AES-256-GCM envelope encryption before the row hits Postgres. Click Test connection to verify, then Save.

HarborGuard will start cataloging images on the next sync. Public images like library/nginx are visible immediately.

Run your first scan

From the registry detail page click Scan on any tag (e.g. nginx:1.25). Pick one or more scanners; for a fast first run, just trivy and syft is enough.

Equivalent API call (you can grab an API key from Settings -> API Keys):

curl -X POST https://harborguard.co/api/scans \
  -H "x-api-key: $HG_API_KEY" \
  -H "content-type: application/json" \
  -d '{
    "image": "docker.io/library/nginx:1.25",
    "scanners": ["trivy", "syft"]
  }'

Response (HTTP 202):

{
  "scanId": "scan-lq8a4f2x-9k3p1m",
  "status": "PENDING",
  "message": "Scan queued for execution",
  "url": "/dashboard/scans/scan-lq8a4f2x-9k3p1m"
}

Watch the scan run

Poll status:

curl https://harborguard.co/api/scans/scan-lq8a4f2x-9k3p1m \
  -H "x-api-key: $HG_API_KEY"

Status transitions: PENDING -> IN_PROGRESS -> COMPLETED (or FAILED). A typical multi-engine scan of a 200 MB image finishes in 30-90 seconds.

Read the results

Open the scan detail page. You will see:

• Compliance grade (A-D) - quick deployment-gate signal. See Grades.
• Findings - vulnerabilities grouped by severity, each with a sources list showing which engines flagged it.
• Packages - the SBOM produced by Syft.
• Layers - layer-by-layer file changes from Dive.
• Logs - raw scanner stdout for debugging.