Describe your app.
Draugr figures out the rest.

Developer-first, descriptor-driven security scanning orchestration. Declare what you know — your repos, images, endpoints, and infrastructure — and Draugr runs the right scanners with sensible defaults and produces audit-ready, pass/fail evidence.

One descriptor

A single draugr.saga.yaml maps your app to the security controls that must pass.

Bring your scanners

Use the tools you already pay for, or Draugr's open-source defaults. Everything speaks SARIF.

It writes itself

Point the Ravens at a cluster or a GitHub org and the descriptor populates automatically.

Cheap at scale

Content-hash caching means unchanged components are never re-scanned.

# draugr.saga.yaml — describe your app
release:
  name: my-app
  version: "1.0"
components:
  - name: backend
    images:
      - image: registry.example.com/acme/backend:1.0
    hosts:
      - url: https://api.acme.com