Describe your app.
Draugr figures out the rest.
Developer-first, descriptor-driven security scanning orchestration. Declare what you know — your repos, images, endpoints, and infrastructure — and Draugr runs the right scanners with sensible defaults and produces audit-ready, pass/fail evidence.
One descriptor
A single draugr.saga.yaml maps your app to the security controls that must pass.
Bring your scanners
Use the tools you already pay for, or Draugr's open-source defaults. Everything speaks SARIF.
It writes itself
Point the Ravens at a cluster or a GitHub org and the descriptor populates automatically.
Cheap at scale
Content-hash caching means unchanged components are never re-scanned.
# draugr.saga.yaml — describe your app release: name: my-app version: "1.0" components: - name: backend images: - image: registry.example.com/acme/backend:1.0 hosts: - url: https://api.acme.com