Multi-source CVE and vulnerability monitoring for your infrastructure stack. One container serves the web UI and JSON API on port 3001. Uses free public feeds only — no commercial threat-intel APIs required.
- GitHub: RaminNietzsche/CVE-Radar
- Documentation: Extended docs
- License: MIT
docker pull raminnietzsche/cve-radar:latest
docker run --rm -p 3001:3001 --name cve-radar raminnietzsche/cve-radar:latestOpen http://localhost:3001 — complete the first-run setup wizard, add your stack (e.g. Redis, HAProxy, Nginx), then run a full scan.
curl -O https://raw.githubusercontent.com/RaminNietzsche/CVE-Radar/main/docker-compose.hub.yml
curl -O https://raw.githubusercontent.com/RaminNietzsche/CVE-Radar/main/.env.example
cp .env.example .env # optional: NVD_API_KEY, GITHUB_TOKEN
docker compose -f docker-compose.hub.yml up -d| Tag | When to use |
|---|---|
latest |
Most recent release (updated on each v* tag) |
1.1.0 |
Pin to a specific release (full semver) |
docker pull raminnietzsche/cve-radar:1.1.0Releases: GitHub Releases
| Component | Details |
|---|---|
| Runtime | Node.js 20 Alpine |
| UI | React 19 + Vite (static dist/) |
| API | Express 5 (/api, /api/v1) |
| Port | 3001 (env PORT) |
| Health | GET /api/health (built-in HEALTHCHECK) |
| User | Runs as non-root node |
Data sources: NVD, OSV, GitHub Advisories, CISA KEV, The Hacker News RSS, TuxCare RSS, optional custom RSS.
Optional — pass with -e or an .env file for Compose:
| Variable | Default | Purpose |
|---|---|---|
PORT |
3001 |
HTTP listen port |
NVD_API_KEY |
— | Higher NVD rate limits (request key) |
GITHUB_TOKEN |
— | Higher GitHub Advisories rate limit |
SCAN_DAYS |
60 |
Look-back window for feeds |
TRANSLATE_ENABLED |
true |
Server-side CVE translation |
RATE_LIMIT_SCAN_PER_MIN |
12 |
App limit for POST /scan per IP/min |
RATE_LIMIT_WATCH_PER_MIN |
120 |
App limit for POST /watch per IP/min |
SCAN_TIMEOUT_MS |
— | Abort long scan/watch requests |
Example with NVD key:
docker run --rm -p 3001:3001 \
-e NVD_API_KEY=your-nvd-key \
raminnietzsche/cve-radar:1.1.0Browser state (stack, settings, scan cache) stays in client localStorage — not in the container.
| Method | Path | Description |
|---|---|---|
GET |
/api/health |
Version, liveness, configured sources |
GET |
/api/openapi.json |
OpenAPI 3.1 spec |
POST |
/api/scan |
Full vulnerability scan |
POST |
/api/watch |
Lightweight poll (no NVD) |
POST |
/api/scan/validate |
Validate stack (not rate-limited) |
- Intended for trusted networks or behind a reverse proxy with TLS.
- Do not expose port 3001 to the public internet without access control.
- Keep
NVD_API_KEYandGITHUB_TOKENin env/secrets only — never in the image. - Aggregates public CVE feeds; validate with vendor advisories before patching.
Images are built from the Dockerfile on git tags v* via GitHub Actions (not on every main push).
Labels (OCI): org.opencontainers.image.source, org.opencontainers.image.licenses=MIT
Issues and feature requests: GitHub Issues
Security reports: Private advisory