DevGuard - Develop Secure Software - Backend

Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks

Report Bug · Request Feature · Sponsors

Get in touch with the developers directly via Matrix-Chat

Visit the Documentation at: https://devguard.org

Mission

DevGuard is built by developers, for developers, aiming to simplify the complex world of vulnerability management. Our goal is to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.

Demo

We are using DevGuard to scan and manage the risks of DevGuard itself—essentially eating our own dogfood. The project can be found here:

DEMO

We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We've integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:

https://api.main.devguard.org/api/v1/organizations/l3montree-cybersecurity/projects/devguard/assets/devguard/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard/vex.json/

Project	SBOM	VeX
Devguard Golang API	SBOM	VeX
Devguard Web-Frontend	SBOM	VeX

The problem we solve

Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection and management, compliant with common security frameworks.

In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.

DevGuard Features

DevGuard comes with a lot of features to make safe Software Development as easy as possible for you. Here are some impressions of feature you will experience while using DevGuard:

Auto-Setup

We developed an auto setup functionality to speed up the DevGuard integration process.

Enhanced Risk Calculation

When it comes to your actual vulnerability risk, the CVSS score is not enough. To help you prioritise based on the actual risk to your project, we enhance the CVSS score with information about exploitability and calculate the risk score based on your confidentiality, integrity and availability assessment. This ensures that the most important things come first!

Dependency overview

Security through obscurity may have worked in the past, but we want to develop software using modern methods! The obscurity shouldn't affect you either. That's why we developed DevGuard: to give you full transparency over your dependencies and highlight any vulnerabilities. This is also visible in a fancy dependency graph.

Scanner Installation

DevGuard Scanner can be installed in multiple ways. Choose the method that best fits your environment:

Go Install (Recommended)

The easiest way to install the latest version:

# Install the latest version
go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@latest

# Install a specific version
go install github.com/l3montree-dev/devguard/cmd/[email protected]

Pre-built Binaries

Download pre-built binaries from our releases page:

# Download and verify (example for Linux AMD64)
curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/devguard-scanner_1.0.0_Linux_x86_64.tar.gz -o devguard-scanner.tar.gz

# Verify the download (optional but recommended)
curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/checksums.txt -o checksums.txt
sha256sum --check --ignore-missing checksums.txt

# Extract and install
tar -xzf devguard-scanner.tar.gz
sudo mv devguard-scanner /usr/local/bin/

Docker

# Run directly from Docker Hub
docker run --rm -v $(pwd):/app ghcr.io/l3montree-dev/devguard-scanner:latest sca /app

# Pull the image first
docker pull ghcr.io/l3montree-dev/devguard-scanner:latest

Building from Source

# Clone the repository
git clone https://github.com/l3montree-dev/devguard.git
cd devguard

# Build the scanner
make devguard-scanner

# Or build with release flags for production
make release-devguard-scanner

Security Verification

All our releases are cryptographically signed and include SLSA Level 3 provenance for supply chain security.

Verify binary signatures:

# Install cosign
go install github.com/sigstore/cosign/v2/cmd/cosign@latest

# Verify the checksums file signature
cosign verify-blob \
  --certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --bundle checksums.txt.sig.bundle \
  checksums.txt

Verify container images:

cosign verify ghcr.io/l3montree-dev/devguard-scanner:latest \
  --certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

✅ Verify Installation

# Check if installation was successful
devguard-scanner --version

# Get help
devguard-scanner --help

# Run a quick security scan
devguard-scanner sca --help

(back to top)

Contributing

We welcome contributions! Please read our contribution guide if you would like to report a bug, ask a question, write issues, or help us with coding. All help is appreciated!

(back to top)

Code of Conduct

Help us keep DevGuard open and inclusive. Please read and follow our Code of Conduct.

(back to top)

Built With

DevGuard is divided into two projects: A frontend (DevGuard Web) and a backend (DevGuard Backend).

Backend (this project):

• 

Frontend:

• Please refer to: DevGuard-Web on Github

(back to top)

License

Distributed under the AGPL-3.0-or-later License. See LICENSE.txt for more information.

(back to top)

Sponsors and Supporters 🚀

We are proud to be supported and working together with the following organizations:

(back to top)

DEVGUARD-SCANNER

Build the scanner

docker build . -f Dockerfile.scanner -t devguard-scanner  

Use the scanner for sca

docker run -v "$(PWD):/app" scanner devguard-scanner sca \
  --assetName="<ASSET NAME>" \
  --apiUrl="http://host.docker.internal:8080" \
  --token="<TOKEN>" \
  --path="/app"

Using the scanner during development

go run ./cmd/devguard-scanner/main.go sca \
  --assetName="<ASSET NAME>" \
  --apiUrl="http://localhost:8080" \
  --token="<TOKEN>"

Scan a container

Build a image.tar from a dockerfile using kaniko

docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest --dockerfile=/workspace/Dockerfile --context=/workspace --tarPath=/workspace/image.tar --no-push

Scan the .tar

docker run -v "$(PWD):/app" scanner devguard-scanner container-scanning \
  --assetName="<ASSET NAME>" \
  --apiUrl="http://host.docker.internal:8080" \
  --token="<TOKEN>" \
  --path="/app/image.tar"