# TedGuard - Self-Hosted Vulnerability Tracking Dashboard > Built a self-hosted, Dockerized Laravel dashboard that scans every repository a team maintains across GitHub, Bitbucket, and Azure DevOps with multiple open-source scanners, deduplicates the findings, and tracks remediation against per-severity SLAs. **Published:** 2026-06-10 --- ## The Need Agencies, consultancies, and platform teams maintain code for many clients across GitHub, Bitbucket, and Azure DevOps. Keeping track of which repository has which vulnerability, how severe it is, and whether a fix exists usually means juggling several scanners and a pile of spreadsheets. SaaS scanners solve part of this, but they require handing a third party read access to every repository you own, which is a hard sell for security-conscious clients. There was no single, self-hosted view of vulnerabilities across a whole portfolio that kept the code inside the customer's own network. ## The Approach I built [TedGuard](https://www.tedguard.com), a self-hosted vulnerability tracking dashboard that ships as a single Docker image. It connects to a team's Git platforms, scans every enabled repository with multiple engines, merges the results into one canonical view, and tracks remediation, all on infrastructure the customer controls. Key work included: - **Multi-scanner pipeline:** A background worker shallow-clones each enabled repository, runs Trivy, OSV-Scanner, and Grype for dependency CVEs plus Gitleaks and Trivy for leaked secrets in parallel, then deletes the clone. Nothing is persisted except normalized findings. - **Deduplication and merging:** Each scanner's output is normalized into one canonical finding model. GHSA and CVE aliases are resolved, so the same vulnerability reported by three scanners collapses into a single row with a confidence signal, instead of three duplicates. - **Risk prioritization:** Every finding carries severity, CVSS, EPSS exploit-probability, and a CISA KEV "known exploited" flag, so teams fix what is actually being exploited first. - **Remediation SLAs:** Configurable target fix windows per severity, with due and overdue badges per project, turning informal intentions into trackable deadlines. - **Notifications:** Email, Slack, and Microsoft Teams alerts on new high and critical findings, with an option to stay quiet until an upstream fix actually exists. - **SSO with IdP-authoritative roles:** Sign-in via Microsoft Entra or GitHub, with admin and member roles delegated to the identity provider and recomputed on every login. A break-glass local admin covers emergency access. - **Client-ready reports:** A print-ready, per-project security report that frames risk and exploitability in business terms. - **One-image distribution:** The same versioned image runs the app, the scan worker, and the scheduler. Upgrades are a pull, and database migrations run automatically on boot. A bare-metal install path is documented too. ## Tech Stack - **Backend:** [PHP](https://www.php.net/), [Laravel](https://laravel.com/) - **Frontend:** [Vue](https://vuejs.org/), [Inertia.js](https://inertiajs.com/), [TypeScript](https://www.typescriptlang.org/) - **Styling:** [Tailwind CSS](https://tailwindcss.com/), [shadcn/vue](https://www.shadcn-vue.com/) - **Database:** [PostgreSQL](https://www.postgresql.org/) - **Scanners:** [Trivy](https://trivy.dev/), [OSV-Scanner](https://google.github.io/osv-scanner/), [Grype](https://github.com/anchore/grype), [Gitleaks](https://github.com/gitleaks/gitleaks) - **Auth / SSO:** [Laravel Socialite](https://laravel.com/docs/socialite) (Microsoft Entra, GitHub), [Laravel Fortify](https://laravel.com/docs/fortify) - **Distribution:** [Docker](https://www.docker.com/), [GitHub Container Registry](https://ghcr.io), [GitHub Actions](https://github.com/features/actions) CI - **Code Quality:** [Pest](https://pestphp.com/) (testing), [PHPStan](https://phpstan.org/)/[Larastan](https://github.com/larastan/larastan) (static analysis), [Pint](https://laravel.com/docs/pint) + [Rector](https://getrector.com/) (PHP formatting/refactoring) ## Outcomes - **One pane of glass:** A live dashboard of every vulnerability across an entire portfolio of repositories, with severity counts and last-scan status per project. - **Less noise, more signal:** Multiple scanners running together catch more, while deduplication keeps the same issue from showing up three times. - **Code stays home:** Repositories are scanned locally and the clones are deleted right after, so no source code or finding ever leaves the customer's network. - **Accountable remediation:** Per-severity SLAs with overdue tracking, plus a client-facing report to justify the time to fix. - **Upgrade by pull:** A single versioned Docker image keeps deployment and updates simple for the teams running it. --- _TedGuard is a self-hosted product for teams that maintain multiple repositories. Learn more at [tedguard.com](https://www.tedguard.com). For custom tools, [get in touch](/contact) or visit [tedbin.com](https://www.tedbin.com)._