Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks
Report Bug
Β·
Request Feature
Β·
Sponsors
Get in touch with the developers directly via Matrix-Chat
Visit the Documentation at: https://devguard.orgDevGuard is built by developers, for developers, aiming to simplify the complex world of vulnerability management. Our goal is to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.
We are using DevGuard to scan and manage the risks of DevGuard itselfβessentially eating our own dogfood. The project can be found here:
We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We've integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:
| Project | SBOM | VeX |
|---|---|---|
| Devguard Golang API | SBOM | VeX |
| Devguard Web-Frontend | SBOM | VeX |
Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection and management, compliant with common security frameworks.
In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.
DevGuard comes with a lot of features to make safe Software Development as easy as possible for you. Here are some impressions of feature you will experience while using DevGuard:
We developed an auto setup functionality to speed up the DevGuard integration process.
auto-setup
When it comes to your actual vulnerability risk, the CVSS score is not enough. To help you prioritise based on the actual risk to your project, we enhance the CVSS score with information about exploitability and calculate the risk score based on your confidentiality, integrity and availability assessment. This ensures that the most important things come first!
management
Security through obscurity may have worked in the past, but we want to develop software using modern methods! The obscurity shouldn't affect you either. That's why we developed DevGuard: to give you full transparency over your dependencies and highlight any vulnerabilities. This is also visible in a fancy dependency graph.
deps
DevGuard Scanner can be installed in multiple ways. Choose the method that best fits your environment:
The easiest way to install the latest version:
# Install the latest version go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@latest # Install a specific version go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@v1.0.0
Download pre-built binaries from our releases page:
# Download and verify (example for Linux AMD64) curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/devguard-scanner_1.0.0_Linux_x86_64.tar.gz -o devguard-scanner.tar.gz # Verify the download (optional but recommended) curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/checksums.txt -o checksums.txt sha256sum --check --ignore-missing checksums.txt # Extract and install tar -xzf devguard-scanner.tar.gz sudo mv devguard-scanner /usr/local/bin/
# Run directly from Docker Hub docker run --rm -v $(pwd):/app ghcr.io/l3montree-dev/devguard-scanner:latest sca /app # Pull the image first docker pull ghcr.io/l3montree-dev/devguard-scanner:latest
# Clone the repository git clone https://github.com/l3montree-dev/devguard.git cd devguard # Build the scanner make devguard-scanner # Or build with release flags for production make release-devguard-scanner
All our releases are cryptographically signed and include SLSA Level 3 provenance for supply chain security.
Verify binary signatures:
# Install cosign go install github.com/sigstore/cosign/v2/cmd/cosign@latest # Verify the checksums file signature cosign verify-blob \ --certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ --bundle checksums.txt.sig.bundle \ checksums.txt
Verify container images:
cosign verify ghcr.io/l3montree-dev/devguard-scanner:latest \ --certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
# Check if installation was successful devguard-scanner --version # Get help devguard-scanner --help # Run a quick security scan devguard-scanner sca --help
We welcome contributions! Please read our contribution guide if you would like to report a bug, ask a question, write issues, or help us with coding. All help is appreciated!
Help us keep DevGuard open and inclusive. Please read and follow our Code of Conduct.
DevGuard is divided into two projects: A frontend (DevGuard Web) and a backend (DevGuard Backend).
Backend (this project):
Frontend:
- Please refer to: DevGuard-Web on Github
DevGuard uses golang-migrate for database schema management. All migrations are embedded in the binary and run automatically on startup.
- Automatic Migration: By default, migrations run automatically when the application starts
- Environment Control: Set
DISABLE_AUTOMIGRATE=trueto disable automatic migrations - Embedded Migrations: Migration files are embedded in the binary for easy deployment
- Idempotent: Migrations can be run multiple times safely
The project includes golang-migrate as a tool dependency. Install it using:
go get -tool github.com/golang-migrate/migrate/v4/cmd/migrate
# Create a new migration file pair (.up.sql and .down.sql) go tool migrate create -ext sql -dir internal/database/migrations your_migration_name # Example: Adding a new table go tool migrate create -ext sql -dir internal/database/migrations add_user_preferences_table
This creates two files:
internal/database/migrations/YYYYMMDDHHMMSS_your_migration_name.up.sql- Forward migrationinternal/database/migrations/YYYYMMDDHHMMSS_your_migration_name.down.sql- Rollback migration
Example: Adding a new table
20250801120000_add_user_preferences_table.up.sql:
-- Create user preferences table CREATE TABLE IF NOT EXISTS user_preferences ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), user_id TEXT NOT NULL, theme TEXT DEFAULT 'light', notifications_enabled BOOLEAN DEFAULT true, created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(), updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW() ); -- Add index for faster lookups CREATE INDEX IF NOT EXISTS idx_user_preferences_user_id ON user_preferences(user_id);
20250801120000_add_user_preferences_table.down.sql:
-- Remove the user preferences table DROP TABLE IF EXISTS user_preferences CASCADE;
Example: Adding a column
20250801130000_add_email_to_users.up.sql:
-- Add email column to existing users table ALTER TABLE users ADD COLUMN IF NOT EXISTS email TEXT; -- Add index for email lookups CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
20250801130000_add_email_to_users.down.sql:
-- Remove email column from users table ALTER TABLE users DROP COLUMN IF EXISTS email CASCADE;
Example: Adding foreign key constraints
20250801140000_add_user_organization_fk.up.sql:
-- Add foreign key constraint ALTER TABLE users ADD CONSTRAINT IF NOT EXISTS fk_users_organization FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
20250801140000_add_user_organization_fk.down.sql:
-- Remove foreign key constraint ALTER TABLE users DROP CONSTRAINT IF EXISTS fk_users_organization;
- Always use IF NOT EXISTS/IF EXISTS: Makes migrations idempotent
- Include rollback logic: Always write the down migration
- Test migrations: Test both up and down migrations on a copy of production data
- Small incremental changes: Keep migrations focused and atomic
- Use transactions implicitly: PostgreSQL wraps DDL in transactions automatically
- Descriptive names: Use clear, descriptive migration names
# Check migration status go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations version # Run migrations manually go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations up # Rollback one migration go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations down 1 # Rollback to specific version go tool migrate -database "postgres://user:pass@localhost:5432/devguard?sslmode=disable" -path internal/database/migrations goto 20250801120000
Distributed under the AGPL-3.0-or-later License. See LICENSE.txt for more information.
We are proud to be supported and working together with the following organizations:
OWASP Bonn-Rhein-Sieg University of Applied Science WhereGroup DigitalHub WetterOnline Ikor
docker build . -f Dockerfile.scanner -t devguard-scanner docker run -v "$(PWD):/app" scanner devguard-scanner sca \ --assetName="<ASSET NAME>" \ --apiUrl="http://host.docker.internal:8080" \ --token="<TOKEN>" \ --path="/app"
go run ./cmd/devguard-scanner/main.go sca \ --assetName="<ASSET NAME>" \ --apiUrl="http://localhost:8080" \ --token="<TOKEN>"
docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest --dockerfile=/workspace/Dockerfile --context=/workspace --tarPath=/workspace/image.tar --no-pushdocker run -v "$(PWD):/app" scanner devguard-scanner container-scanning \ --assetName="<ASSET NAME>" \ --apiUrl="http://host.docker.internal:8080" \ --token="<TOKEN>" \ --path="/app/image.tar"