See every service's security posture at a glance.
MeshReader reads your live cluster, scans every workload for vulnerabilities, and renders it all as one navigable risk graph — services, dependencies, CVEs, and computed risk in a single view.
No agent to configure to explore — try the schema-import demo.
Application security posture, built for Kubernetes.
Most tools give you a list of CVEs. MeshReader gives you the picture: which services exist, how they connect, what they depend on, and where the real risk concentrates — so you fix what matters first.
In-cluster agent
A lightweight agent watches the Kubernetes API, scans every workload image, and streams posture to the backend over gRPC. No data leaves your control plane.
Kubeconfig
Point MeshReader at a kubeconfig and it reads deployments, services, and endpoints across namespaces — no install required.
Schema import
Paste or upload a Syft SBOM, a Grype report, or a MeshReader snapshot. It normalizes and renders instantly, with no cluster access at all.
From cluster to risk graph in four steps.
Discover
Services, deployments, and pods are read straight from the Kubernetes API. Edges come from your real workload config.
Scan
Syft builds an SBOM of each image; Grype matches it against CVE data. Findings carry their source — the model is scanner-agnostic.
Score
Risk is computed, not guessed: Impact (data sensitivity × severity) × Exploitability (internet-facing + connections).
Visualize
Everything renders as a navigable dependency graph, a sortable table, and a per-service detail panel.
One view, every signal.
Dependency graph
Force-directed map of every service, with risk-colored rings and protocol-labeled edges.
Risk scoring
A 0–100 score per service with an Impact × Exploitability breakdown you can reason about.
Real CVEs
Violations come from actual Grype scans of your images — not a static list.
SBOM & libraries
Every dependency Syft finds, with versions and which ones are vulnerable.
Classifiers
Flag sensitive services (PII, PCI) so impact reflects what the workload actually handles.
Scanner-agnostic
Trivy, Snyk, OSV — adapters plug into one finding model. Swap or add scanners freely.
What is MeshReader?
MeshReader is an open-source Application Security Posture Management (ASPM)tool built specifically for Kubernetes. It answers the question most security tooling leaves unanswered: not just which CVEs exist, but where real risk concentrates across your running services, and what to fix first. By combining live cluster discovery, software composition analysis, and a transparent risk-scoring model, MeshReader turns a noisy stream of vulnerability data into a clear, navigable map of your application security posture.
Live Kubernetes discovery
MeshReader meets your cluster where it is. A lightweight in-cluster agent watches the Kubernetes API for services, deployments, and pods, deriving the service dependency graph from your real workload configuration rather than guesswork. Prefer not to install anything? Connect a read-onlykubeconfig, or work entirely offline by importing a snapshot. Discovery is read-only and privacy-preserving: with the agent, posture data never leaves your control plane.
Real vulnerability scanning with Syft and Grype
For every workload, MeshReader runs Syft to generate a complete software bill of materials (SBOM) and Grype to match those packages against currentCVE data. The result is the real dependency inventory of each container image and the actual vulnerabilities affecting it — not a stale, hardcoded list. Because the finding model isscanner-agnostic, adapters for Trivy, Snyk, or OSV slot into the same schema, so you can standardize on one posture view across many tools and avoid vendor lock-in.
Risk you can actually reason about
A vulnerability count is not a priority list. MeshReader computes a 0–100 risk score per service by decomposing risk into Impact — data sensitivity (PII, PCI) multiplied by finding severity — and Exploitability — whether a service is internet-facing and how it connects to others. The scoring is deterministic and explainable, so an internet-exposed gateway with critical CVEs ranks above an internal cache with the same packages. Risk weights map to your own policy, making MeshReader a practical tool for DevSecOps teams triaging real software supply chainexposure.
One picture, every signal
Everything renders as an interactive service dependency graph, a sortable table, and a per-service detail panel showing risk, violations, dependencies, and classifiers. You see how a critical CVE in one library propagates through the services that depend on it — turning container vulnerability scanning into genuine, cloud-native situational awareness. MeshReader is open source and built on a clean protobuf object model you own, so you can extend the collector, add scanners, or re-weight risk to fit your environment.
Built for the modern cloud-native stack
MeshReader fits naturally into DevSecOps and platform-engineering workflows. It runs anywhere Kubernetes does — managed clusters such as EKS, GKE, and AKS, or local environments like kind and k3d — and its agent uses standard, read-only RBAC, so security reviews are simple. Because the frontend is a static site and the backend is a small Go service, you can self-host MeshReader with minimal overhead and keep full control of your vulnerability data and software supply chain visibility. There is no SaaS to trust with your cluster internals and no proprietary data store to migrate out of later.
Get started in minutes
The fastest way to evaluate MeshReader is schema-import mode: paste a Syft SBOM or a Grype report and the risk graph renders immediately in your browser, with nothing to install. When you're ready for live data, deploy the in-cluster agent and watch your real services, dependencies, and CVEs populate continuously as your cluster changes. Going from a first scan to a prioritized, navigable view of yourKubernetes security posture is a matter of minutes — not a procurement cycle — which makes MeshReader equally useful for a quick audit or as a permanent part of your continuous security monitoring.
Frequently asked questions
What is MeshReader?
MeshReader is an open-source, Kubernetes-native Application Security Posture Management (ASPM) tool. It discovers your running services, scans their container images for vulnerabilities, computes a risk score for each, and renders everything as one navigable dependency graph.
How does MeshReader discover services?
Three ways: an in-cluster agent that watches the Kubernetes API and pushes data over gRPC, a read-only kubeconfig connection, or a static schema import where you paste a Syft SBOM, a Grype report, or a MeshReader snapshot.
Which scanners does it use?
Syft generates the software bill of materials (SBOM) and Grype matches it against CVE data by default. The finding model is scanner-agnostic, so Trivy, Snyk, or OSV adapters plug into the same schema.
Does MeshReader send my data anywhere?
No. With the in-cluster agent, posture data stays within your own control plane and backend. The schema-import mode runs entirely client-side in your browser.
How is the risk score calculated?
Risk decomposes into Impact (data sensitivity × finding severity) and Exploitability (internet-facing exposure + connection count), computed per service from real scan findings — never a hardcoded number.
Can I try it without installing anything?
Yes. Use schema import to paste a Syft SBOM or Grype JSON report and MeshReader renders the graph instantly, no cluster access required.
Is MeshReader open source?
Yes. The protobuf object model and the full stack — agent, ingestion, and frontend — are available on GitHub.
Map your cluster's risk.
Launch the console and explore a live posture graph, or import a snapshot to try it offline.