Skip to content
/ PatchHound Public

PatchHound is an open source SBOM vulnerability scanner and report generator with image signing, verification, and automated alerts for secure software supply chains.

License

Apache-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

BBlue530/PatchHound

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

224 Commits
.github/workflows
.github/workflows
 
 
cli_image
cli_image
 
 
dev
dev
 
 
docs
docs
 
 
src
src
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
exclusions.json
exclusions.json
 
 

Repository files navigation

PatchHound (SBOM Vulnerability Report Generator)

Overview

An open-source, plug-and-play SBOM (Software Bill of Materials) vulnerability scanner that generates comprehensive vulnerability reports for container images or source code repositories.

PatchHound not only scans for vulnerabilities but also supports signing and verifying container images ensuring integrity and supply chain security.

Features

  • SBOM generation (Syft) + vuln scanning (Grype)
  • Trivy for misconfigs & secrets
  • Semgrep for SAST
  • Daily re scans with updated vuln DB + KEV catalog
  • Signing & verification with Cosign
  • PDF reports, repo history tracking, audit trail
  • Alerts via Slack/Discord
  • Scan for vulnerabilities (SBOM, SAST, misconfigs, secrets)
  • Compare against CISAs Known Exploited Vulnerabilities
  • Sign and verify container images for supply chain integrity
  • Generate PDF summary reports
  • Exclusion aware summaries with justification tracking

Usage

Backend

The backend handles file ingestion, vulnerability scanning, prioritization, and storage. It receives SBOMs, SAST reports, and Trivy results from the CLI or CI/CD pipelines, processes them, signs results, compares vulnerabilities against the CISA KEV catalog, and triggers alerts when needed.

For installation, setup, and detailed API documentation, see the Backend README.

CLI

The CLI is a core part of the communication between the backend and user. Read more on how to use the CLI here.

Container images

Container images are available for both the backend and the CLI. These images include everything you need to get started quickly.

Backend container image:

docker pull ghcr.io/bblue530/patchhound_backend:latest

CLI image:

docker pull ghcr.io/bblue530/patchhound_cli:latest

Notes

When scanning a directory (TARGET="."), Syft will warn about missing explicit name/version metadata. This does not affect scan results.

If you dont want the workflow to fail when critical vulnerabilities are found change FAIL_ON_CRITICAL=true to false

If you are scanning a container image make sure to add a secret named PAT_TOKEN to your repository.

  1. Go to Settings > Secrets and variables > Actions
  2. Click New repository secret
  3. Name it: PAT_TOKEN
  4. Paste your PAT
  5. Make sure you pass the PAT_TOKEN secret in the CLI

Required Token Permissions

  • read:packages - required to pull images
  • repo - only required if you are accessing private images or private repositories

Public images only require read:packages.

Docs

License

This project is licensed under the Apache License 2.0. See the LICENSE file for details.

About

PatchHound is an open source SBOM vulnerability scanner and report generator with image signing, verification, and automated alerts for secure software supply chains.

Topics

static-analysis vulnerability-management security-automation continuous-security devsecops vulnerability-scanning cli-tool sast syft container-security sbom trivy open-source-security supply-chain-security pdf-reporting grype cosign cisa-kev security-auditing

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

0.1.12 Latest
Nov 30, 2025
+ 1 release

Packages

 
 
 

Contributors 2

  •  
  •  

Languages