Skip to content

Latest commit

 

History

History
121 lines (83 loc) · 3.92 KB

File metadata and controls

121 lines (83 loc) · 3.92 KB

CVE Radar

Multi-source CVE and vulnerability monitoring for your infrastructure stack. One container serves the web UI and JSON API on port 3001. Uses free public feeds only — no commercial threat-intel APIs required.


Quick start

docker pull raminnietzsche/cve-radar:latest
docker run --rm -p 3001:3001 --name cve-radar raminnietzsche/cve-radar:latest

Open http://localhost:3001 — complete the first-run setup wizard, add your stack (e.g. Redis, HAProxy, Nginx), then run a full scan.

Docker Compose

curl -O https://raw.githubusercontent.com/RaminNietzsche/CVE-Radar/main/docker-compose.hub.yml
curl -O https://raw.githubusercontent.com/RaminNietzsche/CVE-Radar/main/.env.example
cp .env.example .env   # optional: NVD_API_KEY, GITHUB_TOKEN
docker compose -f docker-compose.hub.yml up -d

Image tags

Tag When to use
latest Most recent release (updated on each v* tag)
1.1.0 Pin to a specific release (full semver)
docker pull raminnietzsche/cve-radar:1.1.0

Releases: GitHub Releases


What is inside

Component Details
Runtime Node.js 20 Alpine
UI React 19 + Vite (static dist/)
API Express 5 (/api, /api/v1)
Port 3001 (env PORT)
Health GET /api/health (built-in HEALTHCHECK)
User Runs as non-root node

Data sources: NVD, OSV, GitHub Advisories, CISA KEV, The Hacker News RSS, TuxCare RSS, optional custom RSS.


Environment variables

Optional — pass with -e or an .env file for Compose:

Variable Default Purpose
PORT 3001 HTTP listen port
NVD_API_KEY Higher NVD rate limits (request key)
GITHUB_TOKEN Higher GitHub Advisories rate limit
SCAN_DAYS 60 Look-back window for feeds
TRANSLATE_ENABLED true Server-side CVE translation
RATE_LIMIT_SCAN_PER_MIN 12 App limit for POST /scan per IP/min
RATE_LIMIT_WATCH_PER_MIN 120 App limit for POST /watch per IP/min
SCAN_TIMEOUT_MS Abort long scan/watch requests

Example with NVD key:

docker run --rm -p 3001:3001 \
  -e NVD_API_KEY=your-nvd-key \
  raminnietzsche/cve-radar:1.1.0

Browser state (stack, settings, scan cache) stays in client localStorage — not in the container.


API (same origin as UI)

Method Path Description
GET /api/health Version, liveness, configured sources
GET /api/openapi.json OpenAPI 3.1 spec
POST /api/scan Full vulnerability scan
POST /api/watch Lightweight poll (no NVD)
POST /api/scan/validate Validate stack (not rate-limited)

Security notes

  • Intended for trusted networks or behind a reverse proxy with TLS.
  • Do not expose port 3001 to the public internet without access control.
  • Keep NVD_API_KEY and GITHUB_TOKEN in env/secrets only — never in the image.
  • Aggregates public CVE feeds; validate with vendor advisories before patching.

Build info

Images are built from the Dockerfile on git tags v* via GitHub Actions (not on every main push).

Labels (OCI): org.opencontainers.image.source, org.opencontainers.image.licenses=MIT


Support

Issues and feature requests: GitHub Issues

Security reports: Private advisory