v0.4.2regionus-east-1builds/7d41pipeline active

FLA / PUBLIC BETA

V0.4.2 / PUBLIC BETA

VERIFIED CONTAINERS.
PREVIEWED LIVE.
DEPLOYED ON YOUR BOX.

Flareo builds, scans, signs, and attests third-party containers so you can run self-hosted software without trusting strangers on Docker Hub. A curated marketplace, real receipts on every module, live previews, and a portable compose file you take home. Your infrastructure. Your security.

Open the marketplace →Audit any image or install the CLI →

buildkit·trivy·cosign·sigstore·fulcio·rekor·syft·slsa-generator·in-toto·cyclonedx·bullmq·docker-in-docker·firecracker·caddy·github-actions-oidc·cloudflare-r2·aws-ecr-public·hetzner-cloud·buildkit·trivy·cosign·sigstore·fulcio·rekor·syft·slsa-generator·in-toto·cyclonedx·bullmq·docker-in-docker·firecracker·caddy·github-actions-oidc·cloudflare-r2·aws-ecr-public·hetzner-cloud·

§INSTALL

One line. Zero dependencies.

Install the Flareo CLI in 3 seconds. Binary is 8 MB statically linked — no Node, Python, Java, or Docker required. Works on macOS and Linux, amd64 and arm64.

SHELL / RECOMMENDED

$ /bin/bash -c "$(curl -fsSL https://flareo.sh/install)"

HOMEBREW

$ brew install flareo

CARGO

$ cargo install flareo-cli

01THE PROBLEM

Four things broken about how you pull images today.

Flareo doesn't exist because containers are hard. It exists because the distribution layer between upstream source code and the box you run on is full of trust gaps.

TRUST

You can't verify Docker Hub.

Anyone can push anything. :latest tags mutate under you. Publisher identity isn't cryptographically bound to images. One compromised maintainer account and your prod is running a trojan you can't detect.

LINEAGE

No SBOM, no provenance.

What's actually inside that container? Which commit built it? What dependencies were pulled at build time? Standard registries give you none of this. You're trusting a community reputation score at best.

TENANCY

PaaS owns your infrastructure.

Railway, Render, Fly.io are convenient until they raise prices, change limits, or go dark. Your deployment's SLA is theirs. Migration is painful. For homelab operators this is a non-starter.

EFFORT

Rolling your own is a full-time job.

Cosign + Trivy + Syft + SLSA generator + Rekor integration takes a platform team at least a quarter to ship reliably. For everyone below that scale, supply-chain security stays aspirational.

02b / SAME GOAL · TWO PATHS

Deploy Uptime Kuma. The Docker Hub way, then the Flareo way.

Two real shell sessions. Same end state — a running Uptime Kuma instance on a self-hosted box. Different paths to get there. The time stamps on the left are real; we kept the log honest.

~/uptime-kuma · the docker hub way

47 MIN ELAPSED

19:42  $ docker search uptime-kuma
       NAME                       STARS   OFFICIAL
       louislam/uptime-kuma        7842    [no]
       louislam/uptime-kuma2       12      [no]
       linuxserver/uptime-kuma     0       [no]

19:43  # ok — louislam looks legit. let me read the readme.
19:43  $ open https://hub.docker.com/r/louislam/uptime-kuma

19:51  # readme says "use docker compose". where's the compose file?
       # not in the readme. linked to a github repo. switch tabs.
19:54  $ open https://github.com/louislam/uptime-kuma

20:02  # found a docker-compose.yml in /docker. wonder if it's current?
       # 8 months since last commit on it. let me copy it anyway.
20:04  $ wget https://raw.githubusercontent.com/.../docker-compose.yml
20:04  $ cat docker-compose.yml
        version: '3.3'
        services:
          uptime-kuma:
            image: louislam/uptime-kuma:latest    ← :latest? in production?
            container_name: uptime-kuma
            volumes:
              - ./uptime-kuma-data:/app/data
            ports:
              - 3001:3001                          ← what about TLS?
            restart: always

20:09  # let me at least pin the digest. what's the actual digest?
20:09  $ docker pull louislam/uptime-kuma:latest
       latest: Pulling from louislam/uptime-kuma
       Digest: sha256:f4c8e2...
20:11  # is :latest signed? cosign verify expects an identity...
20:11  $ cosign verify louislam/uptime-kuma:latest
       Error: no matching signatures found

20:12  # ok. unsigned. trivy at least?
20:12  $ trivy image louislam/uptime-kuma:latest
       ─ alpine 3.18 ─
       Total: 14 (CRITICAL: 0, HIGH: 3, MEDIUM: 8, LOW: 3)

20:18  # 3 highs. acceptable? maybe? upstream hasn't shipped patches.
       # i'm out of patience. shipping it anyway.
20:24  $ docker compose up -d
20:25  $ curl -fsS http://localhost:3001/
       <!DOCTYPE html>... ✓ alive
20:29  # took 47 minutes. unsigned image. unknown SBOM.
       # back to fighting Caddy for TLS. monday-me's problem.

~/uptime-kuma · the flareo way

4 MIN ELAPSED

19:42  # open flareo.dev/marketplace, search "uptime kuma"
       # see: trust 94 · SLSA L3 · 0 critical · 8 reviews · 4.6★
       # click "try shared demo" — see real instance on flareo subdomain
19:43  # works. exactly the dashboard i wanted. close tab.

19:44  # back to the module page. click "DOWNLOAD .md BUNDLE"
19:44  $ curl -O https://flareo.dev/api/v1/modules/uptime-kuma/takeaway
19:44  $ ls
       uptime-kuma-1.23.4-takeaway.md

19:45  # extract the compose file from the .md and verify before pulling
19:45  $ flareo takeaway uptime-kuma --extract compose > docker-compose.yaml

19:45  # cosign verify command is in the README at the top of the bundle
19:45  $ cosign verify ghcr.io/flareo/uptime-kuma@sha256:9a8b... \
           --certificate-identity 'https://github.com/flareo/build/...' \
           --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
       Verification for ghcr.io/flareo/uptime-kuma --
         ✓ The cosign claims were validated
         ✓ Existence of the claims in the transparency log was verified
         ✓ The code-signing certificate was verified

19:46  $ docker compose up -d
19:46  $ curl -fsS http://localhost:3001/
       <!DOCTYPE html>... ✓ alive

19:46  # done. signed. SBOM bundled. provenance attested. 4 minutes.
       # tuesday-me thanks monday-me. this is the new normal.

The pipeline did the security review for you in advance, the marketplace put the right operator notes in front of you, the preview let you try it before committing, and the takeaway gave you a portable compose file. The 47 minutes on the left becomes 4 minutes on the right because the work was done before you arrived.

02THE PIPELINE

Every module goes through 6 stages. You see all of them.

This is a real trace from build #0847 of Vaultwarden 1.30.5 — submitted at 14:02, available at 14:05. Every line is logged and published. Nothing is hidden.

flareo tail --pipeline · build #0847 · vaultwarden@1.30.5

LIVE

The terminal above is animated. The receipts it produced are real — and clickable.

See the actual provenance trail for this build →

MODULES · VERIFIED

in public catalog today

BUILDS · 7 DAY

full pipeline runs

SCAN PASS · 7 DAY

builds with 0 critical CVEs

STAGE P50 · 7 DAY

0ms

median stage execution

03THE CATALOG

12 modules today, growing every week.

Every module has a verified signature, a current SBOM, a SLSA L2+ attestation, and a one-line pull command. Click any row to see the full receipts.

[01]

CADDYv2.7.6VERIFIED

HTTP/3 reverse proxy with auto-TLS.

$ flareo pull caddy

TRUST SCORE

[02]

GRAFANAv10.2.3VERIFIED

Time-series visualization and dashboards.

$ flareo pull grafana

TRUST SCORE

[03]

VAULTWARDENv1.30.5VERIFIED

Bitwarden-compatible password manager in Rust.

$ flareo pull vaultwarden

TRUST SCORE

[04]

UPTIME-KUMAv1.23.11VERIFIED

Self-hosted uptime monitoring and status pages.

$ flareo pull uptime-kuma

TRUST SCORE

VIEW ALL 12 MODULES →

06THE TAKEAWAY

You leave with a docker-compose.yaml, pinned to a digest.

No lock-in, no Flareo runtime on your box. The output of flareo compose is plain YAML with the image reference pinned to the exact signed sha256 digest you just verified. Run it anywhere Docker runs.

docker-compose.yaml · generated by flareo compose vaultwarden

copy →

# Generated by flareo 0.4.2 · 2026-04-21T14:05:14Z
# Module: vaultwarden@1.30.5 · SLSA L3 · 0 CVEs
# Verify: cosign verify ghcr.io/flareo/vaultwarden@sha256:9a8b7c6d5e4f
version: "3.9"

services:
  vaultwarden:
    image: ghcr.io/flareo/vaultwarden@sha256:9a8b7c6d5e4f3a2b
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.example.com"
      SIGNUPS_ALLOWED: "false"
      WEBSOCKET_ENABLED: "true"
    ports:
      - "8080:80"
      - "3012:3012"
    volumes:
      - ./vw-data:/data
    labels:
      flareo.module: vaultwarden
      flareo.version: "1.30.5"
      flareo.slsa: L3
      flareo.verified-at: "2026-04-20T14:05:14Z"

07PRICING

Free during beta. Fair afterward. No seat tax.

Individual operators stay free forever. Pro is $19/mo when billing starts in September 2026, 30 days of advance notice. Enterprise is $99/mo billed annually, no per-seat charges.

01 · FOREVER FREE

FREE

$0forever
no card

Unlimited public catalog pulls
3 public modules
200 build minutes / month
60 sandbox minutes / month

02 · MOST COMMONFREE IN BETA

PRO

$19per month
billed monthly

20 private modules
1,000 build minutes / month
Priority review · 2h SLA
10 team seats included

03 · COMPLIANCE-READY

ENTERPRISE

$99per month
billed annually

Unlimited private modules
Unlimited build minutes
SSO · SAML + OIDC
2h dedicated response SLA

FULL FEATURE MATRIX →

V0.4.2 / PUBLIC BETA

VERIFIED CONTAINERS.
PREVIEWED LIVE.
DEPLOYED ON YOUR BOX.

Open the marketplace →Audit any image or install the CLI →

§INSTALL

One line. Zero dependencies.

Install the Flareo CLI in 3 seconds. Binary is 8 MB statically linked — no Node, Python, Java, or Docker required. Works on macOS and Linux, amd64 and arm64.

SHELL / RECOMMENDED

$ /bin/bash -c "$(curl -fsSL https://flareo.sh/install)"

HOMEBREW

$ brew install flareo

CARGO

$ cargo install flareo-cli

01THE PROBLEM

Four things broken about how you pull images today.

Flareo doesn't exist because containers are hard. It exists because the distribution layer between upstream source code and the box you run on is full of trust gaps.

TRUST

You can't verify Docker Hub.

LINEAGE

No SBOM, no provenance.

TENANCY

PaaS owns your infrastructure.

Railway, Render, Fly.io are convenient until they raise prices, change limits, or go dark. Your deployment's SLA is theirs. Migration is painful. For homelab operators this is a non-starter.

EFFORT

Rolling your own is a full-time job.

Cosign + Trivy + Syft + SLSA generator + Rekor integration takes a platform team at least a quarter to ship reliably. For everyone below that scale, supply-chain security stays aspirational.

02b / SAME GOAL · TWO PATHS

Deploy Uptime Kuma. The Docker Hub way, then the Flareo way.

Two real shell sessions. Same end state — a running Uptime Kuma instance on a self-hosted box. Different paths to get there. The time stamps on the left are real; we kept the log honest.

~/uptime-kuma · the docker hub way

47 MIN ELAPSED

19:42  $ docker search uptime-kuma
       NAME                       STARS   OFFICIAL
       louislam/uptime-kuma        7842    [no]
       louislam/uptime-kuma2       12      [no]
       linuxserver/uptime-kuma     0       [no]

19:43  # ok — louislam looks legit. let me read the readme.
19:43  $ open https://hub.docker.com/r/louislam/uptime-kuma

19:51  # readme says "use docker compose". where's the compose file?
       # not in the readme. linked to a github repo. switch tabs.
19:54  $ open https://github.com/louislam/uptime-kuma

20:02  # found a docker-compose.yml in /docker. wonder if it's current?
       # 8 months since last commit on it. let me copy it anyway.
20:04  $ wget https://raw.githubusercontent.com/.../docker-compose.yml
20:04  $ cat docker-compose.yml
        version: '3.3'
        services:
          uptime-kuma:
            image: louislam/uptime-kuma:latest    ← :latest? in production?
            container_name: uptime-kuma
            volumes:
              - ./uptime-kuma-data:/app/data
            ports:
              - 3001:3001                          ← what about TLS?
            restart: always

20:09  # let me at least pin the digest. what's the actual digest?
20:09  $ docker pull louislam/uptime-kuma:latest
       latest: Pulling from louislam/uptime-kuma
       Digest: sha256:f4c8e2...
20:11  # is :latest signed? cosign verify expects an identity...
20:11  $ cosign verify louislam/uptime-kuma:latest
       Error: no matching signatures found

20:12  # ok. unsigned. trivy at least?
20:12  $ trivy image louislam/uptime-kuma:latest
       ─ alpine 3.18 ─
       Total: 14 (CRITICAL: 0, HIGH: 3, MEDIUM: 8, LOW: 3)

20:18  # 3 highs. acceptable? maybe? upstream hasn't shipped patches.
       # i'm out of patience. shipping it anyway.
20:24  $ docker compose up -d
20:25  $ curl -fsS http://localhost:3001/
       <!DOCTYPE html>... ✓ alive
20:29  # took 47 minutes. unsigned image. unknown SBOM.
       # back to fighting Caddy for TLS. monday-me's problem.

~/uptime-kuma · the flareo way

4 MIN ELAPSED

19:42  # open flareo.dev/marketplace, search "uptime kuma"
       # see: trust 94 · SLSA L3 · 0 critical · 8 reviews · 4.6★
       # click "try shared demo" — see real instance on flareo subdomain
19:43  # works. exactly the dashboard i wanted. close tab.

19:44  # back to the module page. click "DOWNLOAD .md BUNDLE"
19:44  $ curl -O https://flareo.dev/api/v1/modules/uptime-kuma/takeaway
19:44  $ ls
       uptime-kuma-1.23.4-takeaway.md

19:45  # extract the compose file from the .md and verify before pulling
19:45  $ flareo takeaway uptime-kuma --extract compose > docker-compose.yaml

19:45  # cosign verify command is in the README at the top of the bundle
19:45  $ cosign verify ghcr.io/flareo/uptime-kuma@sha256:9a8b... \
           --certificate-identity 'https://github.com/flareo/build/...' \
           --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'
       Verification for ghcr.io/flareo/uptime-kuma --
         ✓ The cosign claims were validated
         ✓ Existence of the claims in the transparency log was verified
         ✓ The code-signing certificate was verified

19:46  $ docker compose up -d
19:46  $ curl -fsS http://localhost:3001/
       <!DOCTYPE html>... ✓ alive

19:46  # done. signed. SBOM bundled. provenance attested. 4 minutes.
       # tuesday-me thanks monday-me. this is the new normal.

02THE PIPELINE

Every module goes through 6 stages. You see all of them.

This is a real trace from build #0847 of Vaultwarden 1.30.5 — submitted at 14:02, available at 14:05. Every line is logged and published. Nothing is hidden.

flareo tail --pipeline · build #0847 · vaultwarden@1.30.5

LIVE

The terminal above is animated. The receipts it produced are real — and clickable.

See the actual provenance trail for this build →

MODULES · VERIFIED

in public catalog today

BUILDS · 7 DAY

full pipeline runs

SCAN PASS · 7 DAY

builds with 0 critical CVEs

STAGE P50 · 7 DAY

0ms

median stage execution

03THE CATALOG

12 modules today, growing every week.

Every module has a verified signature, a current SBOM, a SLSA L2+ attestation, and a one-line pull command. Click any row to see the full receipts.

[01]

CADDYv2.7.6VERIFIED

HTTP/3 reverse proxy with auto-TLS.

$ flareo pull caddy

TRUST SCORE

[02]

GRAFANAv10.2.3VERIFIED

Time-series visualization and dashboards.

$ flareo pull grafana

TRUST SCORE

[03]

VAULTWARDENv1.30.5VERIFIED

Bitwarden-compatible password manager in Rust.

$ flareo pull vaultwarden

TRUST SCORE

[04]

UPTIME-KUMAv1.23.11VERIFIED

Self-hosted uptime monitoring and status pages.

$ flareo pull uptime-kuma

TRUST SCORE

VIEW ALL 12 MODULES →

06THE TAKEAWAY

You leave with a docker-compose.yaml, pinned to a digest.

No lock-in, no Flareo runtime on your box. The output of flareo compose is plain YAML with the image reference pinned to the exact signed sha256 digest you just verified. Run it anywhere Docker runs.

docker-compose.yaml · generated by flareo compose vaultwarden

copy →

# Generated by flareo 0.4.2 · 2026-04-21T14:05:14Z
# Module: vaultwarden@1.30.5 · SLSA L3 · 0 CVEs
# Verify: cosign verify ghcr.io/flareo/vaultwarden@sha256:9a8b7c6d5e4f
version: "3.9"

services:
  vaultwarden:
    image: ghcr.io/flareo/vaultwarden@sha256:9a8b7c6d5e4f3a2b
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      DOMAIN: "https://vault.example.com"
      SIGNUPS_ALLOWED: "false"
      WEBSOCKET_ENABLED: "true"
    ports:
      - "8080:80"
      - "3012:3012"
    volumes:
      - ./vw-data:/data
    labels:
      flareo.module: vaultwarden
      flareo.version: "1.30.5"
      flareo.slsa: L3
      flareo.verified-at: "2026-04-20T14:05:14Z"

07PRICING

Free during beta. Fair afterward. No seat tax.

Individual operators stay free forever. Pro is $19/mo when billing starts in September 2026, 30 days of advance notice. Enterprise is $99/mo billed annually, no per-seat charges.

01 · FOREVER FREE

FREE

$0forever
no card

Unlimited public catalog pulls
3 public modules
200 build minutes / month
60 sandbox minutes / month

02 · MOST COMMONFREE IN BETA

PRO

$19per month
billed monthly

20 private modules
1,000 build minutes / month
Priority review · 2h SLA
10 team seats included

03 · COMPLIANCE-READY

ENTERPRISE

$99per month
billed annually

Unlimited private modules
Unlimited build minutes
SSO · SAML + OIDC
2h dedicated response SLA

FULL FEATURE MATRIX →

VERIFIED CONTAINERS.PREVIEWED LIVE.DEPLOYED ON YOUR BOX.

One line. Zero dependencies.

Four things broken about how you pull images today.

You can't verify Docker Hub.

No SBOM, no provenance.

PaaS owns your infrastructure.

Rolling your own is a full-time job.

Deploy Uptime Kuma. The Docker Hub way, then the Flareo way.

Every module goes through 6 stages. You see all of them.

12 modules today, growing every week.

You leave with a docker-compose.yaml, pinned to a digest.

Free during beta. Fair afterward. No seat tax.

VERIFIED CONTAINERS.PREVIEWED LIVE.DEPLOYED ON YOUR BOX.

One line. Zero dependencies.

Four things broken about how you pull images today.

You can't verify Docker Hub.

No SBOM, no provenance.

PaaS owns your infrastructure.

Rolling your own is a full-time job.

Deploy Uptime Kuma. The Docker Hub way, then the Flareo way.

Every module goes through 6 stages. You see all of them.

12 modules today, growing every week.

You leave with a docker-compose.yaml, pinned to a digest.

Free during beta. Fair afterward. No seat tax.

VERIFIED CONTAINERS.
PREVIEWED LIVE.
DEPLOYED ON YOUR BOX.

VERIFIED CONTAINERS.
PREVIEWED LIVE.
DEPLOYED ON YOUR BOX.