Ocular
Open-source orchestration platform for security scanning on Kubernetes. Deploy on any cluster, plug in any scanner, and manage everything through native CRDs.
# Add the Crash Override Helm repo
helm repo add crashoverride https://crashappsec.github.io/helm-charts
helm repo update
# Install Ocular on your Kubernetes cluster
helm install ocular crashoverride/ocular# Apply Ocular CRDs and resources directly
kubectl apply -f https://github.com/crashappsec/ocular/releases/latest/download/ocular-crds.yaml
kubectl apply -f https://github.com/crashappsec/ocular/releases/latest/download/ocular.yaml# Install Ocular with the default integrations package
helm repo add crashoverride https://crashappsec.github.io/helm-charts
helm repo update
helm install ocular crashoverride/ocular \
--set integrations.default.enabled=trueSecurity scanning that's Kubernetes native
Stop stitching together scripts and cron jobs. Ocular orchestrates your entire scanning lifecycle through the Kubernetes API you already use.
Kubernetes-Native CRDs
Ocular runs as native Kubernetes Custom Resource Definitions. Define scan targets, schedules, and policies using the same kubectl workflows your team already knows.
Scanner Integrations
Plug in any scanner: Semgrep, Trivy, Grype, and more. Ocular orchestrates the full lifecycle: downloading targets, running scans, and uploading results.
Policy Evaluation
Define security policies that evaluate scan results automatically. Gate deployments, trigger alerts, or generate compliance reports based on configurable thresholds.
Extensible via Custom Integrations
Build your own integrations for proprietary scanners, internal ticketing systems, or custom result destinations. The integration API is open and documented.
How Ocular works
Define targets. Run scanners. Evaluate policies. All through Kubernetes CRDs.
Ocular orchestration lifecycle
Need more than open source?
The Crash Override platform extends Ocular with centralized multi-cluster management, enterprise dashboards, role-based access control, Jira and Slack integrations, and dedicated support from our engineering team.
Frequently asked questions
Is Ocular free to use?
Yes. Ocular is GPL licensed and completely free. You can deploy it on any Kubernetes cluster for personal, commercial, or enterprise use. The GPL license applies to Ocular itself; your scan configurations and custom integrations are your own.
What are the prerequisites for running Ocular?
Ocular requires a Kubernetes cluster running v1.28.0 or later with CRD support, plus Cert Manager for TLS certificate management. Any managed Kubernetes service (EKS, GKE, AKS) or self-hosted cluster that meets these requirements will work.
What scanners does Ocular support?
Out of the box, the default integrations package includes support for Semgrep, Trivy, Grype, and other popular open-source scanners. You can also write custom integrations to orchestrate any scanner that has a CLI or API interface. The integration framework is fully extensible.
How does Ocular differ from the Crash Override platform?
Ocular is the open-source orchestration layer. It deploys scanners, runs scans, and collects results on your Kubernetes cluster. The Crash Override platform adds centralized management across multiple clusters, enterprise dashboards, role-based access control, and integrations with ticketing and notification systems like Jira and Slack.
What are integrations in Ocular?
Integrations are pluggable modules that perform specific tasks in the scanning lifecycle: downloading scan targets from registries, running scanner tools, uploading results to storage or dashboards, and crawling environments to discover new targets. The ocular-default-integrations package provides a ready-made set, and you can write custom integrations for your specific toolchain.
How do I contribute to Ocular?
Fork the repository at github.com/crashappsec/ocular, make your changes, and open a pull request. The most valuable contributions are new scanner integrations, Kubernetes operator improvements, and documentation. See CONTRIBUTING.md for development setup and guidelines.
Deploy on your cluster
Helm install, define your scan targets as CRDs, and let Ocular orchestrate the rest. No account required.