Run security scans on your own infrastructure.

Deploy Keygraph's full security suite inside your network. Source code never leaves your environment. Only findings metadata is sent to the cloud.

Request Self-Hosted Demo View Documentation →

DOCKER

AIR-GAP

ON-PREM

KUBERNETES

Control Plane / Data Plane Architecture

Keygraph's self-hosted solution separates management and scanning workloads. The control plane runs in our cloud, while your data plane operates entirely within your infrastructure.

Control Plane (Keygraph Cloud)

GraphQL API

Admin UI

PostgreSQL

SpiceDB

R2 (Storage)

Redis

HTTPS + API Key Auth (findings metadata only)

Data Plane (Customer Infrastructure)

Docker Compose

Scanner Agent

Temporal

SAST Engine

SCA Scanner

Secrets Detection

Aspect	Control Plane	Data Plane
Managed by	Keygraph	Your infrastructure team
Components	API, UI, Database, Storage	Scanners, Temporal, Agent
Data stored	Findings metadata, configuration	Source code, temporary scan state
Communication	Unidirectional: data plane polls control plane every 5 minutes
Network	Outbound HTTPS only, no inbound connections required
Updates	Keygraph pushes updates instantly	Controlled by you, on your schedule

Full security suite, self-contained.

Deploy Keygraph's complete security scanning stack inside your network. Every component runs locally, giving you full control and visibility.

SAST Engine

Advanced static analysis powered by a 5-phase pipeline for accurate vulnerability detection.

Joern CPG analysis

LLM-powered source-sink extraction

Data flow analysis

LLM validation & logic analysis

JS/TS, Python, Go support

SARIF output

Shannon Pro (Pentest Agent)

AI-powered penetration testing agent for dynamic security testing and exploitation.

nmap for reconnaissance

subfinder for enumeration

whatweb for fingerprinting

Playwright browser automation

Claude-powered reasoning

Temporal orchestration

Secrets Scanner

Detect and remediate hardcoded credentials, API keys, and sensitive tokens in your codebase.

Multi-pattern detection

Hardcoded credentials

API keys & tokens

SARIF output

SAST enrichment

False positive filtering

SCA Scanner

Generate complete software bill of materials and identify known vulnerabilities in dependencies.

Dependency parsing

CycloneDX & SPDX SBOM

CVE identification

package.json, go.mod, requirements.txt

Multi-language support

Transitive dependency analysis

Your code stays yours.

Complete transparency on what leaves your environment. Only non-sensitive finding metadata and telemetry are transmitted to Keygraph Cloud.

📄

Source code: Never sent

Rule-based scans run entirely in your data plane. AI-powered analysis only sends code to Anthropic API when explicitly enabled, with strict data handling agreements.

📊

Finding metadata: Sent to Keygraph

Rule IDs, severity levels, file paths, and line numbers are transmitted for dashboard visualization and historical tracking.

✂️

Code snippets: Never included

Findings are stripped of vulnerable code excerpts before transmission. Full details remain in your SARIF reports and local dashboard.

📋

SARIF reports: Uploaded without snippets

Complete vulnerability data remains in your environment. Only metadata syncs to the cloud for centralized reporting and compliance tracking.

🔑

API key security: SHA-256 hashed

Your authentication credentials are hashed immediately. Never stored in plaintext. Each data plane instance receives its own isolated key.

📤

Unidirectional communication

Your data plane polls the control plane every 5 minutes. No inbound connections required. Firewalls can block all incoming traffic.

Deploy in minutes with a single script.

Keygraph provides a fully automated setup experience. One command deploys your entire scanning infrastructure.

You'll receive keygraph-scanner-setup.sh which automates the entire deployment process. The script handles Docker Compose orchestration, container initialization, and agent registration in seconds.

Docker Compose Stack

version: '3.8'
services:
  temporal:
    image: keygraph/temporal:latest
    ports:
      - "7233:7233"
    environment:
      DB_HOST: postgres
  scanner-worker:
    image: keygraph/scanner-worker:latest
    depends_on:
      - temporal
    environment:
      CONTROL_PLANE_URL: https://api.keygraph.app
      API_KEY: ${KG_API_KEY}
  workflow-starter:
    image: keygraph/workflow-starter:latest
    depends_on:
      - temporal

Image Size Breakdown

Total: 1.3 GB

Base OS (Wolfi)

150 MB

Java 17 JRE

200 MB

Joern CLI

350 MB

Chromium

300 MB

Security tools

50 MB

Obfuscated app code

30 MB

Node.js 22 + modules

250 MB

Deploy with a single command:

./keygraph-scanner-setup.sh

From API key to first scan in 3 steps.

Simple, controlled, and secure. Get your self-hosted scanning environment running in minutes.

Create API Key

Your admin creates a new API key in Settings > API Keys. The key is displayed once and immediately hashed with SHA-256 for storage.

kg_v1_xxxxxxxxxxxxxxxxxxxxxx

Deploy & Approve

DevOps engineer runs the setup script in your environment. The agent registers as PENDING_APPROVAL. Admin approves it in the Devices list to activate scanning.

Approval grants scanning permissions

Scan & Monitor

Start scans from the UI. Your agent polls for tasks every 5 minutes. Findings stream back to your dashboard in real-time. Monitor in Keygraph Cloud or your own SIEM.

Full audit trail for compliance

Enterprise-grade code protection.

Your scanning engine is protected with multiple layers of security to prevent reverse engineering and tampering.

Build-time Hardening

Multi-stage Docker builds discard source code after compilation. Only compiled artifacts and binaries remain in the image.

String Obfuscation

javascript-obfuscator with RC4 string array encoding prevents static analysis. Deobfuscation requires knowledge of runtime state.

Runtime Tamper Detection

SHA-256 checksums verified at startup. Container runtime corruption is detected and reported immediately.

Container Isolation

Non-root user, read-only filesystem, and dropped Linux capabilities. Running processes have minimal system access.

Air-gap native distribution.

Keygraph scanner images are distributed via Cloudflare R2 with support for offline, air-gapped deployments. No container registry account required.

All scanner images are available as tar.gz tarballs, enabling deployment in restricted network environments without external registry access.

Zero egress fees — bandwidth-friendly distribution

Single auth system — your existing kg_v1_ API keys work everywhere

Air-gap support — tarball extraction in offline environments

SHA-256 & Cosign verified — cryptographically signed releases

curl-friendly — standard HTTP download patterns

Download example:

curl -L -o keygraph-scanner.tar.gz \ -H "Authorization: Bearer kg_v1_..." \ "https://acme.keygraph.app/api/v1/scanner/download" tar -xzf keygraph-scanner.tar.gz docker load < keygraph-scanner.tar

Ready to run security scans on your infrastructure?

Get started with Keygraph Self-Hosted Scanning today. Deploy in your network, maintain complete control.

Request Self-Hosted Demo