TedGuard is a self-hosted vulnerability-tracking dashboard. It scans the repositories you maintain on GitHub, Bitbucket and Azure DevOps with multiple open-source scanners, deduplicates the results into one canonical view, and tracks remediation against per-severity SLAs — all on infrastructure you control.

Which scanners does TedGuard use?

For dependency CVEs it runs Trivy, OSV-Scanner and Grype. For leaked secrets it runs Gitleaks and Trivy's secret scanner. Findings from every engine are normalised and merged, with GHSA and CVE aliases resolved, so the same vulnerability reported by several scanners becomes a single finding with a higher confidence signal.

Does my source code leave my network?

No. TedGuard is self-hosted. During a scan it shallow-clones a repository onto your own server, runs the scanners locally, then deletes the clone. No source code, credentials or findings are ever sent to a third-party service.

How is TedGuard deployed?

It ships as a single versioned Docker image that runs the web app, the scan worker and the scheduler. A small Docker Compose stack with PostgreSQL gets you running, and upgrades are a docker pull — database migrations run automatically on boot. A bare-metal (non-Docker) install path is also documented.

How does authentication and access control work?

Users sign in via SSO with Microsoft Entra or GitHub. Admin and member roles are delegated to your identity provider and recomputed on every login, so revoking a role in your IdP revokes TedGuard access. A break-glass local admin exists for emergency access.

How does it help me prioritise what to fix?

Every finding carries severity, CVSS score, EPSS exploit-probability and a CISA KEV "known exploited" flag. Combined with per-severity remediation SLAs and due/overdue badges, you can focus on what is actually being exploited rather than just the largest list.

Can I send the findings to my team?

Yes. TedGuard sends alerts to email, Slack and Microsoft Teams on new high and critical findings, with an option to only notify once an upstream fix is available. You can also export a print-ready, client-facing security report per project.

How much does TedGuard cost?

TedGuard is sold as a self-hosted product for teams that maintain multiple repositories. Get in touch through the contact form for pricing and a demo.

Self-hosted · your code never leaves your servers

Every vulnerability, across every repo you maintain.

TedGuard scans all your GitHub, Bitbucket, and Azure DevOps repositories with multiple engines, deduplicates the noise, and tracks remediation in one live dashboard you host yourself.

Dependency CVEs and leaked secrets — found by Trivy, OSV-Scanner, Grype and Gitleaks, merged into a single canonical view. Open source scanners, one pane of glass.

Request a demo See how it works

scanners, deduplicated: 5
Git platforms supported: 3
on your infrastructure: 100%

tedguard · dashboard

acme-checkout

● SLA overdue

2 C5 H8 M

client-portal-api

● remediation due

3 H11 M

payments-worker

● all clear

4 M

marketing-site

● remediation due

1 H2 M

3 scanners agree · 1 finding

Who it's for

Built for teams that maintain other people's code

Agencies & dev shops

You ship and maintain code for many clients. Prove each repository is monitored, and justify remediation time with evidence.

MSPs & platform teams

One dashboard across every customer and internal service, with per-project SLAs and overdue tracking baked in.

Security-conscious orgs

Keep source code and findings inside your own network. No third-party SaaS ever clones your repositories.

Capabilities

One dashboard, less noise, real accountability

Everything you need to find, prioritise, track and report on vulnerabilities across a whole portfolio of repositories.

Multi-scanner, deduplicated

Trivy, OSV-Scanner and Grype find dependency CVEs; Trivy and Gitleaks find leaked secrets. TedGuard merges the results into one canonical finding — GHSA and CVE aliases resolved — so three scanners flagging the same bug is one row, not three.

All your Git platforms

Connect GitHub, Bitbucket and Azure DevOps. Auto-discover repositories in an org or workspace, then toggle scanning per repo. Tokens are encrypted at rest and never returned to the browser.

Risk you can prioritise

Severity, CVSS, EPSS exploit-probability and CISA KEV "known exploited" flags on every finding — so you fix what is actually being exploited first, not just what is loudest.

Remediation SLAs

Set a target fix window per severity. TedGuard shows due and overdue badges per project, turning "we should patch that" into an accountable, trackable deadline.

Notify only when it matters

Email, Slack and Microsoft Teams alerts on new high and critical findings — with an option to stay quiet until an upstream fix actually exists, so you are not paged for something you cannot patch yet.

Client-ready reports

Generate a print-ready, per-project security report that frames risk and exploitability in business terms — ready to hand to a client to justify the time to remediate.

Open-source engines

The best scanners, agreeing with each other

No single scanner catches everything. TedGuard runs several, then collapses overlapping results into one finding — with a confidence signal when multiple engines agree.

Dependency CVEs (SCA)

TrivyDependency CVEs + secrets
OSV-ScannerOSV.dev advisory database
GrypeAnchore vulnerability match

Leaked secrets

GitleaksLeaked credentials & keys
Trivy-secretIn-tree secret detection

Secret values are never stored — only a redacted preview with file and line.

Connects to

GitHub
Bitbucket
Azure DevOps

CVE databases refresh on a schedule, with graceful fallback to the last cached copy.

How it works

From repository to remediation in four steps

1
Connect your platforms
Add GitHub, Bitbucket or Azure DevOps credentials in the admin UI. TedGuard auto-discovers repositories in the scope you choose — you pick which ones to scan.
2
Scan on a schedule
A background worker shallow-clones each enabled repo, runs every scanner in parallel, then deletes the clone. Nothing is persisted except normalised findings.
3
Triage in one place
Findings land in a live dashboard with severity, CVSS, EPSS and KEV signals. Filter, sort, see which scanners agreed, and track new vs fixed across scans.
4
Report & remediate
SLA badges flag what is overdue. Alerts fire on new criticals. Export a client-ready report to justify the work — all without your code leaving your network.

Self-hosted by design

A security tool that doesn't ask you to trust it with your code

Most vulnerability scanners are SaaS — you hand them read access to every repository you own. TedGuard flips that: it lives entirely inside your perimeter, so the only place your code goes is somewhere you already control.

Talk to us about deployment

Your infrastructure, your data

TedGuard runs on your servers. Repositories are cloned locally during a scan and deleted immediately after. No source code or finding ever reaches a third party.

SSO with IdP-authoritative roles

Sign in with Microsoft Entra or GitHub. Admin and member access is delegated to your identity provider — remove someone there and they lose access on their next login.

One Docker image, easy upgrades

A single versioned image runs the app, worker and scheduler. Upgrade with a pull — migrations run automatically on boot. A bare-metal install path is documented too.

Secrets encrypted at rest

Platform tokens and OAuth credentials are encrypted in the database and never returned to the browser. Configuration lives in the UI, not in plaintext env files.

FAQ

Questions teams ask us

: TedGuard is a self-hosted vulnerability-tracking dashboard. It scans the repositories you maintain on GitHub, Bitbucket and Azure DevOps with multiple open-source scanners, deduplicates the results into one canonical view, and tracks remediation against per-severity SLAs — all on infrastructure you control.
: For dependency CVEs it runs Trivy, OSV-Scanner and Grype. For leaked secrets it runs Gitleaks and Trivy's secret scanner. Findings from every engine are normalised and merged, with GHSA and CVE aliases resolved, so the same vulnerability reported by several scanners becomes a single finding with a higher confidence signal.
: No. TedGuard is self-hosted. During a scan it shallow-clones a repository onto your own server, runs the scanners locally, then deletes the clone. No source code, credentials or findings are ever sent to a third-party service.
: It ships as a single versioned Docker image that runs the web app, the scan worker and the scheduler. A small Docker Compose stack with PostgreSQL gets you running, and upgrades are a docker pull — database migrations run automatically on boot. A bare-metal (non-Docker) install path is also documented.
: Users sign in via SSO with Microsoft Entra or GitHub. Admin and member roles are delegated to your identity provider and recomputed on every login, so revoking a role in your IdP revokes TedGuard access. A break-glass local admin exists for emergency access.
: Every finding carries severity, CVSS score, EPSS exploit-probability and a CISA KEV "known exploited" flag. Combined with per-severity remediation SLAs and due/overdue badges, you can focus on what is actually being exploited rather than just the largest list.
: Yes. TedGuard sends alerts to email, Slack and Microsoft Teams on new high and critical findings, with an option to only notify once an upstream fix is available. You can also export a print-ready, client-facing security report per project.
: TedGuard is sold as a self-hosted product for teams that maintain multiple repositories. Get in touch through the contact form for pricing and a demo.

Get in touch

See TedGuard on your own repositories

Tell us a little about the repositories you maintain and we'll set up a demo — or walk you through self-hosting it in your own environment.

A live walkthrough of the dashboard and reports
Guidance on deploying it inside your network
Pricing for your portfolio of repositories