The spreadsheet that started it all
I'm a software engineer working in financial services. I build integration and digitalization services—the kind of work where you're responsible for things other teams built, services you've never touched, running on infrastructure that's constantly evolving.
A while back, I was tasked with reviewing CVEs across our cloud workloads. My setup: a Trivy scanner running on our OpenShift cluster, an Excel spreadsheet to track findings, and a Confluence page to gather context. For services I didn't implement or wasn't part of the project, just figuring out what was actually running, who owned it, and what the remediation path should be was a nightmare. It took me far more time than the actual security analysis.
I thought: surely there's a tool for this.
The gap nobody talks about
There is. Sort of.
On one end, you have free CLI scanners—Trivy, Grype, Syft. They're excellent at finding vulnerabilities. They output JSON, you pipe it somewhere, and then... what? You're back to spreadsheets.
On the other end, you have enterprise platforms—Prisma Cloud, Wiz, Aqua, Snyk. They do everything: scanning, management, dashboards, compliance reporting. They also cost $50K–$500K per year and require you to send your infrastructure data to someone else's cloud.
The middle ground—a self-hosted tool that takes scanner output and gives you triage, tracking, and workflow—barely exists. And that middle ground is exactly what most teams actually need.
Why this gap matters more than ever
In 2024–2025, critical CVEs in widely-used base images and libraries led to real-world breaches. Log4Shell, the xz backdoor, compromised Docker Hub images—the list keeps growing.
At the same time, regulatory frameworks are tightening. NIS2 in the EU. DORA for financial services. SOC2 and ISO 27001 for anyone selling to enterprises. These frameworks don't just ask "do you scan for vulnerabilities?" They ask for documented triage processes, remediation timelines, escalation workflows, and audit trails.
Most small and mid-size engineering teams can't drop six figures on a platform for this. So they end up with the same thing I had: a scanner, a spreadsheet, and too many hours of manual work.
So I built Ephor
Ephor is a self-hosted vulnerability management platform for Kubernetes. It's not another scanner—it's everything that comes after scanning.
How it works:
- A lightweight Go agent (CronJob) discovers your Deployments, StatefulSets, DaemonSets, and CronJobs
- It scans all container images via Trivy and reports findings to the Ephor API
- The dashboard gives you unified search across all vulnerabilities, namespaces, and clusters
- You triage, escalate, assign, track remediation, and monitor SLA compliance—all in one place
The stack: Spring Boot API, React dashboard, PostgreSQL. Deploy with Helm. No external dependencies, no phone-home, your data stays on your infrastructure.
A note on the subscription-everything model
While building this, I noticed a broader trend that bothered me. Tools that used to be standalone products—things you'd install, run, and own—have been steadily migrating to SaaS subscription models. For the providers, this makes business sense. For the software world in general, it's a concerning direction. Are we really heading towards "subscribe to everything"? Will I need a subscription for my laptop's power adapter next?
Security tooling shouldn't be locked behind enterprise contracts. Knowing what vulnerabilities are running in your infrastructure is not a premium feature. It's basic operational hygiene.
Why AGPL, why free, and what comes next
Ephor is licensed under AGPL v3 and will remain free and open source. This isn't a "community edition" with half the features stripped out. The full platform—dashboard, API, scanner, triage workflows, everything—is free.
There's no VC funding behind this. No investors pushing to convert open-source users into paying customers. Right now, it's a one-person project built in the open.
My personal long-term goal is to establish a governance structure that guarantees the project's independence—making sure it can't be acquired, relicensed, or enshittified down the road. I don't want to promise what doesn't exist yet, but that's the direction I'm working towards. If the project grows, I want the governance to protect it.
The open-source project stays free. Period.
Try it
If you're running Kubernetes workloads and managing vulnerabilities with spreadsheets (or not managing them at all), give Ephor a try.
Deploy with Helm, point the scanner at your cluster, and you'll have a full vulnerability management dashboard in minutes.
I'd love feedback—what works, what's missing, what would make this useful for your team. Open an issue on GitHub or reach out at hello@holbein.io.