README
¶
DevGuard - Develop Secure Software - Backend
Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks
Report Bug
·
Request Feature
·
Sponsors
Get in touch with the developers directly via Matrix-Chat
Visit the Documentation at: https://devguard.orgMission
DevGuard is built by developers, for developers, aiming to simplify the complex world of vulnerability management. Our goal is to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.
Demo
We are using DevGuard to scan and manage the risks of DevGuard itself—essentially eating our own dogfood. The project can be found here:
We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We've integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:
| Project | SBOM | VeX |
|---|---|---|
| Devguard Golang API | SBOM | VeX |
| Devguard Web-Frontend | SBOM | VeX |
The problem we solve
Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection and management, compliant with common security frameworks.
In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.
DevGuard Features
DevGuard comes with a lot of features to make safe Software Development as easy as possible for you. Here are some impressions of feature you will experience while using DevGuard:
Auto-Setup
We developed an auto setup functionality to speed up the DevGuard integration process.
Enhanced Risk Calculation
When it comes to your actual vulnerability risk, the CVSS score is not enough. To help you prioritise based on the actual risk to your project, we enhance the CVSS score with information about exploitability and calculate the risk score based on your confidentiality, integrity and availability assessment. This ensures that the most important things come first!
Dependency overview
Security through obscurity may have worked in the past, but we want to develop software using modern methods! The obscurity shouldn't affect you either. That's why we developed DevGuard: to give you full transparency over your dependencies and highlight any vulnerabilities. This is also visible in a fancy dependency graph.
Scanner Installation
DevGuard Scanner can be installed in multiple ways. Choose the method that best fits your environment:
Go Install (Recommended)
The easiest way to install the latest version:
# Install the latest version
go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@latest
# Install a specific version
go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@v1.0.0
Pre-built Binaries
Download pre-built binaries from our releases page:
# Download and verify (example for Linux AMD64)
curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/devguard-scanner_1.0.0_Linux_x86_64.tar.gz -o devguard-scanner.tar.gz
# Verify the download (optional but recommended)
curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/checksums.txt -o checksums.txt
sha256sum --check --ignore-missing checksums.txt
# Extract and install
tar -xzf devguard-scanner.tar.gz
sudo mv devguard-scanner /usr/local/bin/
Docker
# Run directly from Docker Hub
docker run --rm -v $(pwd):/app ghcr.io/l3montree-dev/devguard-scanner:latest sca /app
# Pull the image first
docker pull ghcr.io/l3montree-dev/devguard-scanner:latest
Building from Source
# Clone the repository
git clone https://github.com/l3montree-dev/devguard.git
cd devguard
# Build the scanner
make devguard-scanner
# Or build with release flags for production
make release-devguard-scanner
Security Verification
All our releases are cryptographically signed and include SLSA Level 3 provenance for supply chain security.
Verify binary signatures:
# Install cosign
go install github.com/sigstore/cosign/v2/cmd/cosign@latest
# Verify the checksums file signature
cosign verify-blob \
--certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
--bundle checksums.txt.sig.bundle \
checksums.txt
Verify container images:
cosign verify ghcr.io/l3montree-dev/devguard-scanner:latest \
--certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
✅ Verify Installation
# Check if installation was successful
devguard-scanner --version
# Get help
devguard-scanner --help
# Run a quick security scan
devguard-scanner sca --help
Contributing
We welcome contributions! Please read our contribution guide if you would like to report a bug, ask a question, write issues, or help us with coding. All help is appreciated!
Code of Conduct
Help us keep DevGuard open and inclusive. Please read and follow our Code of Conduct.
Built With
DevGuard is divided into two projects: A frontend (DevGuard Web) and a backend (DevGuard Backend).
Backend (this project):
Frontend:
- Please refer to: DevGuard-Web on Github
License
Distributed under the AGPL-3.0-or-later License. See LICENSE.txt for more information.
Sponsors and Supporters 🚀
We are proud to be supported and working together with the following organizations:
DEVGUARD-SCANNER
Build the scanner
docker build . -f Dockerfile.scanner -t devguard-scanner
Use the scanner for sca
docker run -v "$(PWD):/app" scanner devguard-scanner sca \
--assetName="<ASSET NAME>" \
--apiUrl="http://host.docker.internal:8080" \
--token="<TOKEN>" \
--path="/app"
Using the scanner during development
go run ./cmd/devguard-scanner/main.go sca \
--assetName="<ASSET NAME>" \
--apiUrl="http://localhost:8080" \
--token="<TOKEN>"
Scan a container
Build a image.tar from a dockerfile using kaniko
docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest --dockerfile=/workspace/Dockerfile --context=/workspace --tarPath=/workspace/image.tar --no-push
Scan the .tar
docker run -v "$(PWD):/app" scanner devguard-scanner container-scanning \
--assetName="<ASSET NAME>" \
--apiUrl="http://host.docker.internal:8080" \
--token="<TOKEN>" \
--path="/app/image.tar"
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
devguard
command
|
|
|
devguard-cli
command
|
|
|
devguard-scanner
command
|
|
|
TODO: rename the package name to vuln
|
TODO: rename the package name to vuln |
|
pkg
|
|