Opensource Network Management, IT Operations Management (ITOM), Security Analytics, and Observability http://serviceradar.cloud/
  • Elixir 42%
  • JavaScript 29.8%
  • Go 12.4%
  • Rust 10.1%
  • Shell 1.3%
  • Other 4.1%
Find a file
Michael Freeman 65ccc6f9b3
All checks were successful
Secret Scan / gitleaks (push) Successful in 3m0s
Helm Lint / Helm Lint (push) Successful in 3m7s
Source Security Scan / source-security (push) Successful in 3m18s
lint / lint (push) Successful in 4m53s
Golang Tests / test-go (push) Successful in 11m42s
CI / build (push) Successful in 31m36s
Merge pull request 'chore: release v1.4.13' (#4557) from release/v1.4.13 into staging
Reviewed-on: #4557
2026-07-12 21:38:15 +00:00
.agent/workflows 2277 feat sysmon rewrite in golang (#2279) 2026-01-14 00:47:53 -06:00
.agents/skills docs: align release operations with guarded Forgejo flow 2026-07-10 02:19:02 -05:00
.bazelbsp adding missing files 2025-09-18 15:21:05 -05:00
.buildbuddy 2999 chore fix bazel container builds (#3000) 2026-03-07 11:01:16 -06:00
.cargo Add netprobe sidecar skeleton 2026-05-27 01:53:00 -05:00
.forgejo/workflows fix(release): gate finalization on parallel assets 2026-07-10 02:32:49 -05:00
.githooks chore: archive stale openspec proposals 2026-04-23 21:30:43 -05:00
.github ci: add socket firewall wrappers 2026-05-19 16:46:01 -05:00
.playwright wip: wifi map 2026-05-02 14:44:00 -05:00
.playwright-cli adding playwright 2026-04-27 21:37:52 -05:00
addons fix: restore scalibr endpoint inventory ingestion 2026-07-11 21:14:41 -05:00
build fix: preserve workload identity spool writes 2026-07-11 10:16:52 -05:00
database 2851 chore repo hygeine (#2868) 2026-02-20 18:30:16 -06:00
docker fix: fail closed on release artifact drift 2026-07-09 22:16:35 -05:00
docs Merge pull request 'fix(powerdns): detect missing protobuf producers' (#4544) from fix/powerdns-producer-health into staging 2026-07-11 10:44:02 +00:00
elixir test(core): harden plugin slot migration coverage 2026-07-12 10:14:20 -05:00
go build(agent): register retained delivery test dependency 2026-07-12 08:51:38 -05:00
google/protobuf adding missing files 2025-09-18 12:44:26 -05:00
helm/serviceradar chore: release v1.4.13 2026-07-12 12:00:44 -05:00
integrations/falco Fix web-ng release build: ship trivy/falco display contracts 2026-06-11 16:04:27 -05:00
js fix: update dashboard scaffolder packages 2026-05-06 01:00:32 -05:00
k8s chore: prepare v1.4.10 release operations 2026-07-09 15:19:22 -05:00
openspec Merge pull request 'fix(otx): stream uncapped indicator pages safely' (#4542) from fix/otx-uncapped-streaming into staging 2026-07-11 10:12:21 +00:00
proto fix(agent): retain unacknowledged plugin results 2026-07-12 08:22:12 -05:00
rust Merge remote-tracking branch 'origin/staging' into fix/scalibr-endpoint-inventory-012 2026-07-11 21:16:24 -05:00
scripts fix: restore scalibr endpoint inventory ingestion 2026-07-11 21:14:41 -05:00
swift Decouple RF update from LiDAR capture 2026-04-29 15:53:18 -05:00
third_party Fix netprobe Bazel libpcap linking 2026-05-27 20:55:49 -05:00
tools fix(build): update stale crate-rename refs in Dockerfile + proof harness (#4319 review) 2026-06-28 23:37:35 -05:00
.bazelignore Add manual Bazel target for dashboard CLI 2026-05-04 01:18:00 -05:00
.bazelrc Fix Darwin remote Bazel musl selection 2026-05-27 02:14:42 -05:00
.bazelversion Chore/bazel cleanup (#3027) 2026-03-12 15:30:23 -05:00
.clang-tidy fixing bazel build, adding clang-tidy 2025-10-10 15:51:57 -05:00
.clangd bazel work and cleanup of legacy web and srql remnants (#2175) 2025-12-17 19:53:27 -06:00
.dockerignore Coordinate Phase 0.10 sysmon downsampling publish path 2026-06-12 15:04:53 -05:00
.env-sample chore: updating docker to use new registry 2026-04-02 13:21:21 -05:00
.gitignore Ignore local review documents 2026-05-27 23:17:13 -05:00
.gitleaks.toml chore(security): broaden gitleaks allowlist to the fake-test-UUID family 2026-06-30 22:39:16 -05:00
.gitleaksignore fix: unblock Forgejo secret scan 2026-04-04 01:06:49 -05:00
.gitmodules fix(release): restore arancini submodule and update alpine postgresql16 apk pins 2026-02-20 02:11:03 -06:00
.golangci.yml fix: satisfy bumblebee go lint 2026-05-28 19:23:51 -05:00
.pre-commit-config.yaml Add Forgejo secret scanning and mirror workflows 2026-04-02 14:03:00 -05:00
.swiftlint.yml 2878 swift UI app (#2880) 2026-02-21 22:09:18 -06:00
.syft.yaml Add Forgejo SBOM and OSV security workflows 2026-04-01 08:24:53 -05:00
.tool-versions Web/elixir phoenix poc (#2139) 2025-12-15 23:11:48 -06:00
AGENTS.md fix(native-addons): register anomaly-addon manifest in validate_addon_manifests_test (unblocks bundle publish gate) 2026-06-17 00:20:03 -05:00
anomaly_tasks.md fix(build): update stale crate-rename refs in Dockerfile + proof harness (#4319 review) 2026-06-28 23:37:35 -05:00
Bazel.md 2999 chore fix bazel container builds (#3000) 2026-03-07 11:01:16 -06:00
buf.yaml Complete netprobe IPC proto linting tasks 2026-05-27 15:14:35 -05:00
BUILD.bazel fix(release): gate finalization on parallel assets 2026-07-10 02:32:49 -05:00
BUILD.md Document multi-corpus fingerprint maintenance 2026-05-28 19:14:28 -05:00
buildbuddy.yaml Switch build defaults to Harbor registry 2026-04-01 10:51:31 -05:00
buildbuddy_setup_docker_auth.sh wip: security updates and forgejo cutover 2026-03-31 21:36:18 -05:00
Cargo.lock fix: preserve workload identity spool writes 2026-07-11 10:16:52 -05:00
Cargo.toml refactor(de-causal): rename causal-disposition crate + NIF + CausalReasoner facade 2026-06-28 16:09:35 -05:00
CHANGELOG chore: release v1.4.13 2026-07-12 12:00:44 -05:00
CLAUDE.md 2069 bug icmp metrics missing in k8s (#2070) 2025-12-07 20:41:39 -06:00
cleanup-psql.sh Add Armis inventory cleanup script 2026-05-13 11:14:33 -05:00
CODE_OF_CONDUCT.md Added COC, CONTRIBUTING.md and SUPPORT.md files. 2025-10-09 15:32:08 +08:00
CODEOWNERS Added CODEOWNERS and RELEASE.md 2025-10-09 15:43:34 +08:00
CONTRIBUTING.md Add Forgejo secret scanning and mirror workflows 2026-04-02 14:03:00 -05:00
dashboard-builder-redesign.md Fix SRQL dashboard authoring UX 2026-05-26 10:59:04 -05:00
docker-compose.dev.yml Update NATS server and clients 2026-05-15 16:21:07 -05:00
docker-compose.override.yml.example 2851 chore repo hygeine (#2868) 2026-02-20 18:30:16 -06:00
docker-compose.yml harden auth deployment defaults 2026-07-04 23:35:39 -05:00
DOCKER_QUICKSTART.md Retire Phase 0.5 Go db-event-writer 2026-06-12 03:23:10 -05:00
go.mod feat(anomaly): protobuf metric envelope cutover + #3796 review hardening 2026-06-14 16:24:51 -05:00
go.sum Tidy Go module metadata 2026-06-11 14:53:14 -05:00
GOVERNANCE.md Update GOVERNANCE.md 2025-10-16 18:56:39 +08:00
INSTALL.md feat: add self-hosted sigstore keyless support 2026-04-04 23:26:32 -05:00
LICENSE added copyright statements 2025-03-02 21:17:35 -06:00
MAINTAINERS.md Added empty ROADMAP.md and renamed CONTRIBUTORS.md to MAINTAINERS.md 2025-10-16 18:01:04 +08:00
Makefile fix(agent): version ldflag mismatch + endpoint-inventory dir ownership 2026-06-15 12:36:20 -05:00
Makefile.docker chore: updating docker to use new registry 2026-04-02 13:21:21 -05:00
MODULE.bazel build: repin PostgreSQL 18 pgvector package 2026-07-12 09:18:00 -05:00
MODULE.bazel.lock fix: preserve workload identity spool writes 2026-07-11 10:16:52 -05:00
README-Docker.md Retire Phase 0.5 Go db-event-writer 2026-06-12 03:23:10 -05:00
README.md Ansible integration: docs/ansible.md + README mention 2026-05-11 02:11:43 -05:00
RELEASE.md feat: add self-hosted sigstore keyless support 2026-04-04 23:26:32 -05:00
SECURITY.md Update SECURITY.md 2025-03-03 12:12:50 -06:00
SECURITY_CONTACTS.md Update SECURITY_CONTACTS.md 2025-10-16 18:55:11 +08:00
skills-lock.json adding skills 2026-06-14 18:59:48 -05:00
SUPPORT.md Added COC, CONTRIBUTING.md and SUPPORT.md files. 2025-10-09 15:32:08 +08:00
TELEMETRY.md Update TELEMETRY.md 2025-10-16 18:55:20 +08:00
VERSION chore: release v1.4.13 2026-07-12 12:00:44 -05:00
WORKSPACE speed up builds 2025-10-11 00:49:25 -05:00

Website Developer Portal Apache 2.0 License

ServiceRadar

Screenshot_2026-04-28_at_10 07 02_PM

CNCF Landscape FOSSA Status OpenSSF Best Practices CLA assistant

Important

Active source development and releases now live at code.carverauto.dev/carverauto/serviceradar

ServiceRadar is a distributed network monitoring system designed for infrastructure and services in hard-to-reach places or constrained environments. It provides real-time monitoring of internal services with cloud-based alerting to ensure you stay informed even during network or power outages.

Demo site available at https://demo.serviceradar.cloud login: demo@localhost password: serviceradar

Features

  • Distributed Architecture: Multi-component design (Agent, Gateway, Core) for flexible edge deployments.
  • WASM Plugin System: Securely extend monitoring with custom checks in Go or Rust. Runs in a hardware-level sandbox with zero local dependencies and proxied networking.
  • Topology: GPU-native topology engine capable of rendering millions of interactive nodes and edges at 60fps via deck.gl, Apache Arrow for zero-copy streaming, and WASM-native logic layer.
  • Custom React Dashboards: Build powerful, data-driven dashboards with the Dashboard SDK. Dashboards run inside ServiceRadar, receive SRQL-backed data frames, and can be developed locally with hot module reloading before publishing.
  • Causal Engine: Real-time triage and isolation via DeepCausality (Rust). Employs hybrid filtering and roaring bitmaps to identify root causes and visually isolate an event's "blast radius" in microseconds.
  • SRQL: intuitive key:value syntax for querying time-series and relational data.
  • Unified Data Layer: Powered by CloudNativePG, TimescaleDB, PGVector, and Apache AGE for relational, time-series, and graph topology data.
  • Observability: Native support for OTEL, GELF, Syslog, SNMP (polling/traps), BGP (BMP), and NetFlow.
  • Graph Network Mapper: Discovery engine that maps interfaces and topology relationships via SNMP/LLDP/CDP.
  • Ansible Automation: Run AWX/AAP playbooks against devices in the inventory with live per-host run telemetry, projected to OCSF for the universal log viewer. AWX-sourced and git-sourced playbook catalogs coexist; cron-driven schedules ride the same launch pipeline. See docs/ansible.md.
  • Security: Hardened with mTLS, RBAC, and SSO integration.

WASM-Based Extensibility

ServiceRadar replaces traditional "script-and-shell" plugins with a modern WebAssembly runtime. This provides a generation leap in security and portability:

Feature ServiceRadar (WASM) Traditional NMS (Nagios/Zabbix) Enterprise (SolarWinds)
Isolation Hardware Sandbox None (OS Process) None (User Session)
Dependencies Zero (Static Binaries) High (Local Libs/Python) High (.NET/Runtimes)
Security Capability-based (Proxy) Sudo/Root access Local Admin / WMI
Portability Cross-platform WASM Script-specific Windows-centric
Auditability Every network call logged Invisible to Agent Opaque

Why WASM? Plugins are "FS-less" by default. They cannot access the host filesystem or raw sockets. Instead, they use a Network Bridge where the Agent proxies specific HTTP/TCP calls based on admin-approved allowlists.

Plug-in SDK

Go: https://code.carverauto.dev/carverauto/serviceradar-sdk-go

Rust: https://code.carverauto.dev/carverauto/serviceradar-sdk-rust

Dashboard SDK

ServiceRadar supports customer-owned dashboard packages that are authored in React and rendered directly inside the web UI. The Dashboard SDK gives dashboard authors a stable browser-module API for SRQL queries, Arrow-backed data frames, query state, Mapbox/deck.gl maps, popups, filters, and local development.

The published npm packages make it straightforward to create and validate a dashboard from a normal JavaScript workspace:

npm create @carverauto/create-dashboard@latest my-dashboard -- --template react-map
cd my-dashboard
npm ci
npm run dev

Use npm run dev for the local HMR harness, npm run validate before handing a package to ServiceRadar, and npx serviceradar-cli dashboard publish when you are ready to upload a signed dashboard package to a ServiceRadar instance.

Dashboard SDK documentation: developer.serviceradar.cloud/docs/v2/dashboard-sdk

Developer portal: developer.serviceradar.cloud

Quick Installation (Docker Compose)

Get ServiceRadar running in under 5 minutes:

# Optional - set these in your .env 
export SERVICERADAR_HOST=<my-vm-ip>
export GATEWAY_PUBLIC_BIND=0.0.0.0

git clone https://code.carverauto.dev/carverauto/serviceradar.git
cd serviceradar

docker compose pull
docker compose up nats-creds-init
docker compose up -d

# Get your admin password
docker compose logs config-updater

Access: http://localhost (login: root@localhost)

Kubernetes / Helm Deployment

ServiceRadar provides an official Helm chart for Kubernetes deployments, published to Harbor as an OCI artifact.

# Inspect chart metadata and default values
helm show chart oci://registry.carverauto.dev/serviceradar/charts/serviceradar --version 1.2.32
helm show values oci://registry.carverauto.dev/serviceradar/charts/serviceradar --version 1.2.32 > values.yaml

# Install a pinned release (recommended)
helm upgrade --install serviceradar oci://registry.carverauto.dev/serviceradar/charts/serviceradar \
  --version 1.2.32 \
  -n serviceradar --create-namespace \
  --set global.imageTag="v1.2.32"

# Track mutable images (staging/dev): pulls :latest and forces re-pull
helm upgrade --install serviceradar oci://registry.carverauto.dev/serviceradar/charts/serviceradar \
  --version 1.2.32 \
  -n serviceradar --create-namespace \
  --set global.imageTag="latest" \
  --set global.imagePullPolicy="Always"

# Get password for 'root@localhost' user created by helm install
kubectl get secret serviceradar-secrets -n serviceradar \
    -o jsonpath='{.data.admin-password}' | base64 -d

Note: if you omit global.imageTag, the chart defaults to latest. Set global.imagePullPolicy=Always when you want to pick up new pushes on restart.

Verifying Published Images

ServiceRadar publishes Cosign-signed images to Harbor. The public verification key is committed in docs/cosign.pub.

For the self-hosted keyless migration path, keep custom Sigstore trust material under docs/sigstore/README.md. The release scripts now support both legacy key-based verification and keyless verification against a custom trusted root.

Verify a released or immutable image tag with:

cosign verify \
  --experimental-oci11 \
  --key docs/cosign.pub \
  registry.carverauto.dev/serviceradar/serviceradar-core-elx:v1.2.32

For build-specific images, prefer the immutable sha-<commit> tags:

cosign verify \
  --experimental-oci11 \
  --key docs/cosign.pub \
  registry.carverauto.dev/serviceradar/serviceradar-core-elx:sha-ac23dc0ebcbee0d6a964dc8307826bf2a063536c

Successful verification proves the image was signed with the ServiceRadar release key and that the signature published in Harbor matches the requested image.

For self-hosted keyless verification, use the published trusted root and certificate identity policy instead of docs/cosign.pub:

cosign verify \
  --experimental-oci11 \
  --trusted-root docs/sigstore/trusted-root.json \
  --certificate-identity-regexp '<issuer-specific SAN regex>' \
  --certificate-oidc-issuer https://issuer.example.com \
  registry.carverauto.dev/serviceradar/serviceradar-core-elx:sha-ac23dc0ebcbee0d6a964dc8307826bf2a063536c

Docker Compose notes:

  • Set APP_TAG in .env to pin release images (example: APP_TAG=v1.2.32).
  • Set COMPOSE_FILE=docker-compose.yml:docker-compose.dev.yml in .env to default to the dev overlay without -f.

Chart URL: oci://registry.carverauto.dev/serviceradar/charts/serviceradar

Notes:

  • Chart versions are like 1.2.32; ServiceRadar image tags are like v1.2.32.
  • If your cluster requires registry credentials, set image.registryPullSecret (default registry-carverauto-dev-cred).

For ArgoCD deployments, use registry.carverauto.dev/serviceradar/charts as the repository URL (without the oci:// prefix):

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: serviceradar
  namespace: argocd
spec:
  destination:
    server: https://kubernetes.default.svc
    namespace: serviceradar
  source:
    repoURL: registry.carverauto.dev/serviceradar/charts
    chart: serviceradar
    targetRevision: "1.2.32"
    helm:
      values: |
        global:
          imageTag: "v1.2.32"

Architecture

  1. Agent: Lightweight Go service on monitored hosts; manages WASM execution and local collection.
  2. Agent-Gateway: Ingestion point that receives gRPC streams from edge agents.
  3. Core (core-elx): Control plane (Elixir/Phoenix/Ash) for orchestration, ERTS, and job scheduling (Oban).
  4. Web UI (web-ng): Real-time LiveView dashboard and APIs for configuration and visualization.
  5. NATS: NATS JetStream message broker for bulk ingestion streams.
  6. Collectors: Collect bulk data (netflow, logs, SNMP, etc.).

Documentation

For detailed guides on setup and security, visit: https://docs.serviceradar.cloud

For SDKs, dashboard authoring, and extension guides, visit: https://developer.serviceradar.cloud

Contributing

Contributions are welcome! Please feel free to submit a Pull Request. Join our Discord!

License

Apache 2.0 License - see the LICENSE file for details.