CVE Radar exposes Prometheus metrics at GET /metrics (root path, not under /api).
| Variable | Default | Description |
|---|---|---|
METRICS_ENABLED |
true |
Set false to disable the endpoint (404) |
METRICS_PROTECT |
false |
Set true to require API_SECRET (X-Api-Key or Bearer) on /metrics |
For in-cluster scraping, leave METRICS_PROTECT off and restrict access with NetworkPolicy. For internet-facing hosts, set METRICS_PROTECT=true or scrape via authenticated reverse proxy.
| Metric | Type | Labels | Description |
|---|---|---|---|
cve_radar_scans_total |
counter | mode, status |
Scan/watch requests (status: success, partial, failure) |
cve_radar_vulns_found |
gauge | severity, source |
Counts from the last successful scan (no CVE IDs in labels) |
cve_radar_scan_duration_seconds |
histogram | mode |
Scan/watch duration |
cve_radar_source_reachable |
gauge | source |
1 if upstream reachable (sourceHealth.ts) |
cve_radar_cache_entries_total |
gauge | — | Cache size (memory or Redis) |
Implementation: server/lib/metrics.ts. Metrics update from scan handlers and refresh source/cache gauges on each scrape.
Pairs with the Kubernetes section in chapter 11. Example for Prometheus Operator:
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: cve-radar
labels:
release: prometheus
spec:
selector:
matchLabels:
app.kubernetes.io/name: cve-radar
endpoints:
- port: http
path: /metrics
interval: 30s
scheme: http
# When METRICS_PROTECT=true, add bearerTokenSecret or basicAuth herePlain Prometheus scrape_configs:
scrape_configs:
- job_name: cve-radar
metrics_path: /metrics
static_configs:
- targets: ["cve-radar:3001"]Import grafana/cve-radar-dashboard.json — panels for severity time series, scan success rate, source reachability, and CRITICAL stat with example alert threshold.
# Scan success rate (5m)
sum(rate(cve_radar_scans_total{status="success"}[5m]))
/ sum(rate(cve_radar_scans_total[5m]))
# CRITICAL vulns from last scan
sum(cve_radar_vulns_found{severity="CRITICAL"})
# p95 scan duration
histogram_quantile(0.95, sum(rate(cve_radar_scan_duration_seconds_bucket[5m])) by (le, mode))