<br /> <div align="center"> <picture> <source srcset="docs/logo_inverse_horizontal.svg" media="(prefers-color-scheme: dark)"> <img src="docs/logo_horizontal.svg" alt="DevGuard by L3montree Logo" width="240" height="80"> </picture> <h3 align="center">DevGuard - Develop Secure Software - Backend</h3> <p align="center"> Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks <br /> <br /> <a href="https://github.com/l3montree-dev/devguard/issues">Report Bug</a> · <a href="https://github.com/l3montree-dev/devguard/issues">Request Feature</a> · <a href="https://github.com/l3montree-dev/devguard?tab=readme-ov-file#sponsors-and-supporters-">Sponsors</a> </p> </div> <p align="center"> <a href="https://www.bestpractices.dev/projects/8928"><img src="https://www.bestpractices.dev/projects/8928/badge" alt="OpenSSF Badge"></a> <a href="https://goreportcard.com/report/github.com/l3montree-dev/devguard"><img src="https://goreportcard.com/badge/github.com/l3montree-dev/devguard" alt="Go Report Card"></a> <a href="https://github.com/l3montree-dev/devguard/blob/main/LICENSE.txt"><img src="https://img.shields.io/badge/license-AGPLv3-purple" alt="License"></a> <a href="https://github.com/l3montree-dev/devguard/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"><img src="https://img.shields.io/badge/Help%20Wanted-Contribute-blue"></a> <a href="https://matrix.to/#/#devguard:matrix.org"><img src="https://img.shields.io/matrix/devguard%3Amatrix.org?logo=matrix&label=matrix"></a> <a href="https://main.devguard.org/l3montree-cybersecurity/projects/devguard/assets/devguard/refs/main"><img src="https://api.main.devguard.org/api/v1/badges/cvss/7d404549-3a17-47d8-b732-b26e6a4eeb00" alt="CVSS"></a> </p> <p align="center"> Get in touch with the developers directly via <a href="https://matrix.to/#/#devguard:matrix.org">Matrix-Chat</a> </p> Visit the Documentation at: https://devguard.org

Mission

DevGuard is built by developers, for developers, aiming to simplify the complex world of vulnerability management. Our goal is to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.

Demo

We are using DevGuard to scan and manage the risks of DevGuard itself—essentially eating our own dogfood. The project can be found here:

DEMO

We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We've integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:

https://api.main.devguard.org/api/v1/organizations/l3montree-cybersecurity/projects/devguard/assets/devguard/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard/vex.json/

|Project|SBOM|VeX| |---|---|---| |Devguard Golang API|SBOM|VeX| |Devguard Web-Frontend|SBOM|VeX|

The problem we solve

Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection and management, compliant with common security frameworks.

In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.

DevGuard Features

DevGuard comes with a lot of features to make safe Software Development as easy as possible for you. Here are some impressions of feature you will experience while using DevGuard:

Auto-Setup

We developed an auto setup functionality to speed up the DevGuard integration process.

Enhanced Risk Calculation

When it comes to your actual vulnerability risk, the CVSS score is not enough. To help you prioritise based on the actual risk to your project, we enhance the CVSS score with information about exploitability and calculate the risk score based on your confidentiality, integrity and availability assessment. This ensures that the most important things come first!

Dependency overview

Security through obscurity may have worked in the past, but we want to develop software using modern methods! The obscurity shouldn't affect you either. That's why we developed DevGuard: to give you full transparency over your dependencies and highlight any vulnerabilities. This is also visible in a fancy dependency graph.

Scanner Installation

DevGuard Scanner can be installed in multiple ways. Choose the method that best fits your environment:

Go Install (Recommended)

The easiest way to install the latest version:

# Install the latest version
go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@latest

# Install a specific version
go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@v1.0.0

Pre-built Binaries

Download pre-built binaries from our releases page:

# Download and verify (example for Linux AMD64)
curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/devguard-scanner_1.0.0_Linux_x86_64.tar.gz -o devguard-scanner.tar.gz

# Verify the download (optional but recommended)
curl -L https://github.com/l3montree-dev/devguard/releases/download/v1.0.0/checksums.txt -o checksums.txt
sha256sum --check --ignore-missing checksums.txt

# Extract and install
tar -xzf devguard-scanner.tar.gz
sudo mv devguard-scanner /usr/local/bin/

Docker

# Run directly from Docker Hub
docker run --rm -v $(pwd):/app ghcr.io/l3montree-dev/devguard-scanner:latest sca /app

# Pull the image first
docker pull ghcr.io/l3montree-dev/devguard-scanner:latest

Building from Source

Nix Binary Cache

Build outputs are cached at https://nix.garage.l3montree.cloud. To push all local derivations to the cache (requires credentials):

AWS_ACCESS_KEY_ID=<access-key> \
AWS_SECRET_ACCESS_KEY=<secret-key> \
nix copy $(nix-store -qR $(nix path-info --derivation .#devguardOCI)) \
  --to 's3://nix?endpoint=s3.garage.l3montree.cloud&region=garage&scheme=https&secret-key=/etc/nix/cache-priv-key.pem'

# Clone the repository
git clone https://github.com/l3montree-dev/devguard.git
cd devguard

# Build the scanner
make devguard-scanner

# Or build with release flags for production
make release-devguard-scanner

Security Verification

All our releases are cryptographically signed and include SLSA Level 3 provenance for supply chain security.

Verify binary signatures:

# Install cosign
go install github.com/sigstore/cosign/v2/cmd/cosign@latest

# Verify the checksums file signature
cosign verify-blob \
  --certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --bundle checksums.txt.sig.bundle \
  checksums.txt

Verify container images:

cosign verify ghcr.io/l3montree-dev/devguard-scanner:latest \
  --certificate-identity-regexp="^https://github.com/l3montree-dev/devguard/.github/workflows/" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

✅ Verify Installation

# Check if installation was successful
devguard-scanner --version

# Get help
devguard-scanner --help

# Run

Devguard

Install / Use

README