DevGuard - Develop Secure Software - Backend

Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks

Report Bug · Request Feature · Sponsors

Get in touch with the developers directly via Matrix-Chat

Visit the Documentation at: https://devguard.org

Mission

DevGuard is built by developers, for developers, aiming to simplify the complex world of vulnerability management. Our goal is to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.

Demo

We are using DevGuard to scan and manage the risks of DevGuard itself—essentially eating our own dogfood. The project can be found here:

DEMO

We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We've integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:

Project	SBOM	VeX
Devguard Golang API	SBOM	VeX
Devguard Web-Frontend	SBOM	VeX

The problem we solve

Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection and management, compliant with common security frameworks.

In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.

Contributing

We welcome contributions! Please read our contribution guide if you would like to report a bug, ask a question, write issues, or help us with coding. All help is appreciated!

(back to top)

Code of Conduct

Help us keep DevGuard open and inclusive. Please read and follow our Code of Conduct.

(back to top)

Built With

DevGuard is divided into two projects: A frontend (DevGuard Web) and a backend (DevGuard Backend).

Backend (this project):

• 

Frontend:

• Please refer to: DevGuard-Web on Github

(back to top)

License

Distributed under the AGPL-3.0-or-later License. See LICENSE.txt for more information.

(back to top)

Sponsors and Supporters 🚀

We are proud to be supported and working together with the following organizations:

(back to top)

DEVGUARD-SCANNER

Build the scanner

docker build . -f Dockerfile.scanner -t devguard-scanner  

Use the scanner for sca

docker run -v "$(PWD):/app" scanner devguard-scanner sca \
  --assetName="<ASSET NAME>" \
  --apiUrl="http://host.docker.internal:8080" \
  --token="<TOKEN>" \
  --path="/app"

Using the scanner during development

go run ./cmd/devguard-scanner/main.go sca \
  --assetName="<ASSET NAME>" \
  --apiUrl="http://localhost:8080" \
  --token="<TOKEN>"

Scan a container

Build a image.tar from a dockerfile using kaniko

docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest --dockerfile=/workspace/Dockerfile --context=/workspace --tarPath=/workspace/image.tar --no-push

Scan the .tar

docker run -v "$(PWD):/app" scanner devguard-scanner container-scanning \
  --assetName="<ASSET NAME>" \
  --apiUrl="http://host.docker.internal:8080" \
  --token="<TOKEN>" \
  --path="/app/image.tar"