Multi-source CVE and vulnerability monitoring for your infrastructure stack. Free public APIs only (NVD, OSV, GitHub Advisories, CISA KEV, security RSS). RTL/LTR UI with light, dark, and system themes, plus six interface languages.
If this helps your team, consider starring the repo on GitHub — it helps others discover CVE Radar. Promotion tips: docs/PROMOTION.md.
Dashboard: severity summary, per-tool CVE cards (HAProxy, Redis, …), charts, unified sidebar with stack tools, data-source freshness, and scan controls. Refresh capture: npm run docs:product-demo.
| Language | README |
|---|---|
| English | You are here |
| فارسی | README.fa.md |
| العربية | README.ar.md |
| Русский | README.ru.md |
| 中文 | README.zh.md |
| Français | README.fr.md |
Documentation: https://blog.raminnietzsche.ir/CVE-Radar/ · extended-docs (source) · Glossary
make extended-docs-serve # local preview http://127.0.0.1:8000- Full scan — NVD + OSV + GitHub + CISA KEV + The Hacker News + TuxCare RSS
- Fast watch — periodic OSV + GitHub (+ RSS) without NVD delay
- Dashboard — severity donut chart, type bar chart, per-tool status
- Filters — severity, type, tool, search, sort (severity / date / CVSS)
- i18n — Persian, Arabic, English, Russian, Chinese, French (UI + locale dates/numbers)
- Themes — light / dark / system
- Optional Persian translation — server-side EN→FA via MyMemory / LibreTranslate / Ollama
- Source freshness — last successful fetch time per data source in the sidebar
- First-run setup wizard — stack, settings, and sources before the dashboard (v1.1.0)
- Scan cache — restore last scan on reload when the stack matches; cached-results banner on dashboard
- GitHub Models prompts — reusable AI prompts in
.github/prompts/for onboarding and ops - Multi-channel watch alerts — Slack, Discord, Telegram, email, generic webhook via
NotificationService - Self-hosted enterprise features — RBAC (
API_ROLE), optional PostgreSQL multi-tenancy, scan history/trends, Redis cache, Prometheus metrics, air-gap mirrors, K8s stack discovery - SSE scan stream —
POST /api/v1/scan/streamfor progress events during full scans
Latest release: v1.2.1 · Maintainer guide: docs/RELEASE.md
Active work is tracked in GitHub Issues. Current epics:
| Area | Epic | Notes |
|---|---|---|
| E2E tests, fixtures, coverage gates | #78 | Playwright CSV export + ~257 specs (~94% lines); more integration mirrors planned |
| SonarCloud maintainability | #134–#139 | Code-smell cleanup |
Shipped under MIT (no enterprise tier): multi-channel notifications (#124, #127), Drizzle schema foundation (#125, #128), RBAC, multi-tenancy, PostgreSQL scan history, Redis shared cache (#66), Prometheus metrics, EPSS, air-gap mirrors — see extended-docs chapter 11.
Want to help? Pick a good first issue label or comment on the epic before opening a PR.
git clone https://github.com/RaminNietzsche/CVE-Radar.git
cd CVE-Radar
make setup
make dev| Service | URL |
|---|---|
| Web UI | http://localhost:5173 |
| API health | http://localhost:3001/api/health |
NVD_API_KEY= # https://nvd.nist.gov/developers/request-an-api-key
GITHUB_TOKEN= # higher GitHub Advisories rate limit
SCAN_DAYS=60
TRANSLATE_ENABLED=true
# RATE_LIMIT_SCAN_PER_MIN=12
# RATE_LIMIT_WATCH_PER_MIN=120Copy from .env.example. Never commit .env.
| Source | Role |
|---|---|
| NVD | Official CVE records (full scan) |
| OSV | Open source package vulnerabilities |
| GitHub Advisories | GHSA / reviewed advisories |
| CISA KEV | Known exploited vulnerabilities |
| The Hacker News | Security news RSS |
| TuxCare | Security blog RSS |
| Method | Path | Description |
|---|---|---|
GET |
/api/health |
Liveness, version, env flags (?detailed=true for ops) |
GET |
/metrics |
Prometheus metrics (when METRICS_ENABLED) |
GET |
/api/capabilities |
Limits, features, translate locales |
GET |
/api/sources |
Built-in + default RSS catalog |
GET |
/api/openapi.json |
OpenAPI 3.1 spec |
POST |
/api/scan/validate |
Validate stack/sources (no scan) |
POST |
/api/scan |
Full scan (stack, translate, locale, enabledBuiltin, customFeeds) |
POST |
/api/watch |
Watch poll + newVulns / hasNew |
POST |
/api/translate |
Batch CVE text translation |
POST |
/api/v1/scan/stream |
Full scan over SSE (v1) |
GET |
/api/v1/scans/history |
Tenant scan history (PostgreSQL) |
GET/POST |
/api/v1/tenants/stacks |
Saved stacks CRUD (PostgreSQL) |
GET |
/api/v1/discovery/kubernetes |
K8s image → tool discovery (opt-in) |
Core scan/metadata routes also exist under /api/v1/…. Full reference: extended-docs API chapter · make extended-docs-serve → API Explorer tab.
make build
make start # serves API + static dist on PORT (default 3001)Docker Hub: raminnietzsche/cve-radar · Hub copy: docs/dockerhub/
docker pull raminnietzsche/cve-radar:latest
docker run --rm -p 3001:3001 raminnietzsche/cve-radar:latest
# or compose: docker compose -f docker-compose.hub.yml up -dBuild from source:
docker compose up --build
# UI + API → http://localhost:3001Details: docs/DOCKER.md.
All advanced capabilities — audit logs, RBAC, multi-tenant scan history, Prometheus metrics, EPSS, compliance mapping, Kubernetes discovery, offline mirrors — are included under MIT with no enterprise tier. Multilingual guides: extended-docs chapter 11 (en · fa · ar · ru · zh · fr) · maintainer split: docs/self-hosted/.
Published site: blog.raminnietzsche.ir/CVE-Radar/. Having trouble with Pages deployment (404)? See docs/GITHUB_PAGES.md.
Example stack: examples/stack.json. OpenAPI: docs/OPENAPI.md.
See ARCHITECTURE.md for the full map.
├── src/ # React + Vite UI (see src/README.md)
├── server/ # Express API + feeds (see server/README.md)
├── extended-docs/ # Canonical MkDocs site (6 languages, CI deploy)
├── docs/ # ADRs, Docker/Pages/OpenAPI guides (see docs/README.md)
├── tests/ # API + unit tests
├── scripts/ # Tooling (screenshots, OpenAPI check, icons)
├── examples/ # Sample stack JSON
├── public/ # Static assets (favicon, brand icons)
├── .github/ # CI, Pages, Docker Hub, CODEOWNERS
└── Makefile
make help
make check # lint + typecheck + test
make test
make docs-serve # optional: MkDocs Material siteThis tool aggregates public feeds for awareness. Always validate findings against vendor advisories and your change process. RSS items may not map 1:1 to CVE IDs.
See CONTRIBUTING.md, SECURITY.md, CODE_OF_CONDUCT.md, and CHANGELOG.md.