OWASP DevGuard
Open-source vulnerability management for the full software supply chain
An OWASP Incubating Project Β· Made in Germany π©πͺ for the world π
Documentation Β· Live Demo Β· Report Bug Β· Chat (Matrix)
[!NOTE] Join the monthly DevGuard Open Community Call β always at 17:00 (UTC+2). Help shape new features and discuss contributions. For support, join the community Matrix space.
What is DevGuard?
DevGuard is a single platform that finds, prioritizes, and tracks vulnerabilities across your entire software supply chain β from source code and third-party dependencies to container images, infrastructure-as-code, and deployed artifacts.
It replaces the patchwork of disconnected scanners, spreadsheets, and manual triage with one system that scans, prioritizes, tracks, and documents security findings across the whole SDLC. DevGuard is built exclusively on open standards β SBOM, VEX, SARIF, SLSA, in-toto β so thereβs no vendor lock-in and no proprietary formats.
This repository contains the DevGuard Backend (Go API + PostgreSQL). The web frontend lives at l3montree-dev/devguard-web.
Why DevGuard?
Traditional security tools treat vulnerability management as something separate from development β generating 50β80% false-positive noise, living in spreadsheets, and demanding context switches from engineers who just want to ship. DevGuard flips that: security intelligence is delivered where developers already work (pull requests, CI, issue trackers), and real risks surface first thanks to multi-dimensional scoring.
Use DevGuard if you need to:
- Know whatβs in your software β automated SBOM generation and dependency tracking across all projects.
- Find vulnerabilities continuously β SCA, SAST, secret scanning, IaC, container scanning, and license compliance, all from one CLI.
- Cut through the noise β risk-based prioritization using CVSS + EPSS + component depth + your CIA assessment, not raw CVSS alone.
- Triage at scale β VEX-based assessment workflows and reusable VEX rules to handle recurring false positives once, not per project.
- Block malicious packages β Dependency Firewall for npm, Go, and Python that checks packages before they enter your codebase.
- Meet compliance requirements β automated evidence for ISO 27001, Cyber Resilience Act (CRA), BSI IT-Grundschutz, and SLSA.
- Share transparency data β live SBOM and VEX endpoints that stay current, because a dependency safe today can have a CVE tomorrow.
DevGuard is for developers, DevOps engineers, and security teams. No specialized security knowledge required.
Key Capabilities
| Capability | What it does |
|---|---|
| Full DevSecOps pipeline | Secret scanning, SAST, SCA, IaC scanning, container scanning, and license compliance β one CLI, one CI integration |
| Risk-based prioritization | Scores every finding as (CVSS-BE Γ (EPSS + 1)) / 2 / Component Depth so you fix what actually matters first |
| SBOM & VEX management | CycloneDX SBOMs, full VEX workflows, and live SBOM/VEX endpoints that always reflect current state |
| Dependency Firewall | Proxies npm, Go, and Python registries β blocks known-malicious and vulnerable packages before download |
| Supply-chain integrity | in-toto attestations, SLSA provenance, cosign signatures, reproducible builds with Nix |
| Policy enforcement | Organization-wide security policies written in OPA/Rego, enforced automatically |
| Bring your own scanner | Ingests SBOM (CycloneDX) and SARIF from Trivy, Grype, Semgrep, and any standards-compliant tool |
| Issue tracker integration | GitHub Issues, GitLab Issues, and Jira β bidirectional sync with slash-command triage |
Getting started
The full documentation lives at docs.devguard.org. It covers installation, quickstart, CI/CD integration, scanner usage, and configuration.
For details on connecting to your CI, setting up the dependency firewall, or self-hosting in production, see the documentation.
Documentation
The full documentation lives at docs.devguard.org. Start here:
- π Quickstart β spin up DevGuard and run your first scan
- π§ Key Concepts in 2 minutes β organizations, groups, assets, artifacts
- π Risk Calculation β how findings are scored and prioritized
- π‘οΈ Dependency Firewall β block malicious packages before they reach your code
- β CRA Compliance β what DevGuard covers under the EU Cyber Resilience Act
Live Demo
We scan DevGuard with DevGuard. Browse the public instance to see real vulnerability data, SBOMs, and VEX assessments on a live project:
main.devguard.org/l3montree-cybersecurity/projects/devguard
Live (always-current) SBOM and VEX endpoints for this project:
| Component | SBOM | VEX |
|---|---|---|
| Backend (this repo) | SBOM | VEX |
| Web Frontend | SBOM | VEX |
Talks & Presentations
- FOSDEM 2026 β Securing Software for the Public Sector β Recording
- FrOSCon 2025 β Develop Secure Software β The DevGuard Project β Recording
Community & Contributing
- π¬ Chat: Matrix space
- π‘ Discussions: GitHub Discussions
- π Bugs / feature requests: GitHub Issues
- π Monthly community call: see the note at the top of this README
- π· Contribute: read the contribution guide and pick up a help wanted issue
Please follow the Code of Conduct when participating.
License
DevGuard is licensed under AGPL-3.0-or-later. See LICENSE.txt.
Sponsors & Supporters
Project DevGuard
Classification
- Incubator Project
- Tool
-
- AppSec
Audience
- Builder
- Defender