Everything that happens
after the scan.

Trivy and Grype find your CVEs, then the JSON scrolls off the terminal and nobody tracks what got fixed. Ephor is the open-source layer that comes next: a dashboard, triage workflow, and remediation tracking for Kubernetes vulnerabilities. Self-hosted, your scan data never leaves your cluster.

Get Started on GitHub See it in action
dashboard.png / dashboard.gif
drop the product screenshot here

The Ephor dashboard — severity breakdown, triage queue, remediation status.

The Gap

Between free scanners and
six-figure platforms

CLI tools find vulnerabilities. Enterprise platforms manage them — at $50,000 to $500,000 per year. Between them: nothing. Until now.

CLI Scanners Free

Trivy, Grype, Syft

  • Find vulnerabilities
  • No management UI
  • No triage workflow
  • No remediation tracking
Open Source
Ephor Free

Self-hosted, unlimited

  • Find vulnerabilities
  • Full dashboard & search
  • Triage workflows
  • Remediation tracking
Enterprise Platforms $50K–$500K/yr

Prisma Cloud, Wiz, Aqua

  • Find vulnerabilities
  • Full platform
  • Compliance tooling
  • Vendor lock-in
SBOM intelligence

Catch a vulnerable package
before your next scan finds it

Ephor keeps an index of every package in every image SBOM it has seen. When a critical CVE shows up in one image, Ephor checks the exact same package and version against the rest of your fleet and flags the images carrying it that nobody has scanned yet. You learn a vulnerable dependency is spreading on its way in, not a scan cycle later.

pre-scan.png
screenshot of the pre-scan alerts view
Capabilities

Scan, triage, track, fix.
In one place.

Unified Dashboard

Severity breakdowns and trend charts across every cluster, namespace, and workload. One screen, full picture.

Vulnerability Search

Filter by image, namespace, cluster, or severity. Get from 10,000 CVEs to the five that matter.

Triage Workflows

Assign, track, and manage vulnerability status with comments and full audit trails.

Escalation Management

Flag critical findings and route them to the team that owns the workload.

Remediation Tracking

Track fixes against SLAs. Measure remediation progress, not just vulnerability counts.

Automated Discovery

The Ephor Scanner discovers Kubernetes workloads and scans container images automatically using Trivy.

Why Holbein

No VC. No vendor cloud.
No strings.

No Strings Attached

No venture capital. No investor pressure to enshittify the product. No exit strategy. Just the tooling.

Your Infrastructure, Your Data

Self-hosted by default. Your vulnerability data never leaves your infrastructure. No SaaS dependency, no third-party access, no data residency concerns.

No Phone Home

No telemetry, no analytics, no usage tracking. Ephor doesn't call out to anyone. The only traffic is the scanner shipping results to your own API, inside your own cluster.

Genuine Open Source

Licensed under AGPL v3 — an OSI-approved open-source license. Not BSL. Not SSPL. No bait-and-switch. Inspect every line. Fork if you want. This is real open source.

Stop managing CVEs in spreadsheets.

Ephor is free and self-hosted. Deploy with Helm, point the scanner at your cluster, done.

Get Started Read the Docs