ShipSecure

Self-Hosting

Deploy Radar with Docker Compose

Quick deploy

Download the compose file:

curl -O https://raw.githubusercontent.com/shipsecure-labs/radar/main/docker-compose.yml

Create your .env:

cat > .env << 'EOF'
# GitHub (optional)
GITHUB_APP_ID=123456
GITHUB_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
GITHUB_WEBHOOK_SECRET=your-webhook-secret

# GitLab (optional)
GITLAB_ACCESS_TOKEN=glpat-...
GITLAB_WEBHOOK_SECRET=your-webhook-secret

# AI (default: anthropic)
# AI_PROVIDER=openai
ANTHROPIC_API_KEY=sk-ant-...
# OPENAI_API_KEY=sk-...

REDIS_PASSWORD=your-secure-redis-password
EOF

Start everything:

docker compose up -d

Pin to a specific version:

VERSION=1.0.0 docker compose up -d

Reverse proxy

Put a reverse proxy in front of the gateway. Example with Caddy:

radar.yourdomain.com {
    reverse_proxy localhost:3000
}

Example with nginx:

server {
    listen 443 ssl;
    server_name radar.yourdomain.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Scaling

Increase worker replicas for higher throughput:

# docker-compose.yml
worker:
  deploy:
    replicas: 4

Verify

  1. Check logs: docker compose logs -f worker
  2. Open a PR/MR with an obvious vulnerability (e.g. command injection)
  3. Radar should post an inline comment within a minute

Troubleshooting

Worker won't start: "At least one provider must be configured" Set either GITHUB_APP_ID or GITLAB_ACCESS_TOKEN in your .env.

Webhook signature verification failed Make sure the webhook secret in your .env matches exactly what you configured in GitHub/GitLab.

GitHub: "Resource not accessible by integration" Your App is missing permissions. Ensure Contents is Read-only and Pull requests is Read & Write. After changing permissions, org admins may need to accept the update.

No comments appearing on PRs

  1. Check the App is installed on the repository
  2. Check worker logs for errors
  3. Verify webhooks are reaching your server
  4. Ensure the PR contains actual code changes (docs/config files are filtered out)

Environment Variables

Full reference of Radar environment variables

Development

Set up Radar for local development

On this page

Quick deployReverse proxyScalingVerifyTroubleshooting