{"id":35401997,"url":"https://github.com/l3montree-dev/devguard","last_synced_at":"2026-04-23T09:03:34.502Z","repository":{"id":182529701,"uuid":"668606952","full_name":"l3montree-dev/devguard","owner":"l3montree-dev","description":"DevGuard Backend - Secure your Software Supply Chain - Attestation-based compliance as Code, manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Security Framework Documentation made easy - OWASP Incubating Project","archived":false,"fork":false,"pushed_at":"2026-04-22T15:22:06.000Z","size":111548,"stargazers_count":128,"open_issues_count":106,"forks_count":27,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-04-22T15:24:15.643Z","etag":null,"topics":["automation","cve","cve-management","devsecops","it-security","owasp","security","security-automation","security-orchestration","vulnerability","vulnerability-assessment","vulnerability-databases","vulnerability-management"],"latest_commit_sha":null,"homepage":"https://devguard.org/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/l3montree-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":"docs/dco.txt","cla":null}},"created_at":"2023-07-20T07:47:53.000Z","updated_at":"2026-04-21T11:46:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"de2e77f5-8eb4-4cdc-99c1-dd4e069d01c4","html_url":"https://github.com/l3montree-dev/devguard","commit_stats":null,"previous_names":["l3montree-dev/flawfix","l3montree-dev/devguard"],"tags_count":166,"template":false,"template_full_name":null,"purl":"pkg:github/l3montree-dev/devguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l3montree-dev%2Fdevguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l3montree-dev%2Fdevguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l3montree-dev%2Fdevguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l3montree-dev%2Fdevguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/l3montree-dev","download_url":"https://codeload.github.com/l3montree-dev/devguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/l3montree-dev%2Fdevguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32173068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","cve","cve-management","devsecops","it-security","owasp","security","security-automation","security-orchestration","vulnerability","vulnerability-assessment","vulnerability-databases","vulnerability-management"],"created_at":"2026-01-02T11:38:19.443Z","updated_at":"2026-04-23T09:03:34.496Z","avatar_url":"https://github.com/l3montree-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ca name=\"readme-top\"\u003e\u003c/a\u003e\n\n\u003cbr /\u003e\n\u003cdiv align=\"center\"\u003e\n\n  \u003cpicture\u003e\n    \u003csource srcset=\"docs/logo_inverse_horizontal.svg\"  media=\"(prefers-color-scheme: dark)\"\u003e\n    \u003cimg src=\"docs/logo_horizontal.svg\" alt=\"DevGuard by L3montree Logo\" width=\"240\" height=\"80\"\u003e\n  \u003c/picture\u003e\n\n  \u003ch3 align=\"center\"\u003eDevGuard — Develop Secure Software\u003c/h3\u003e\n\n  \u003cp align=\"center\"\u003e\n    Open-source vulnerability management for the full software supply chain.\n    \u003cbr /\u003e\n    An \u003ca href=\"https://owasp.org/\"\u003eOWASP\u003c/a\u003e Incubating Project.\n    \u003cbr /\u003e\n    \u003cbr /\u003e\n    \u003ca href=\"https://docs.devguard.org\"\u003eDocumentation\u003c/a\u003e\n    ·\n    \u003ca href=\"https://main.devguard.org/l3montree-cybersecurity/projects/devguard\"\u003eLive Demo\u003c/a\u003e\n    ·\n    \u003ca href=\"https://github.com/l3montree-dev/devguard/issues\"\u003eReport Bug\u003c/a\u003e\n    ·\n    \u003ca href=\"https://matrix.to/#/#devguard:matrix.org\"\u003eChat (Matrix)\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cp align=\"center\"\u003e\n   \u003ca href=\"https://www.bestpractices.dev/projects/8928\"\u003e\u003cimg src=\"https://www.bestpractices.dev/projects/8928/badge\" alt=\"OpenSSF Badge\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://goreportcard.com/report/github.com/l3montree-dev/devguard\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/l3montree-dev/devguard\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://github.com/l3montree-dev/devguard/blob/main/LICENSE.txt\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-AGPLv3-purple\" alt=\"License\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://github.com/l3montree-dev/devguard/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22\"\u003e\u003cimg src=\"https://img.shields.io/badge/Help%20Wanted-Contribute-blue\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://matrix.to/#/#devguard:matrix.org\"\u003e\u003cimg src=\"https://img.shields.io/matrix/devguard%3Amatrix.org?logo=matrix\u0026label=matrix\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://main.devguard.org/l3montree-cybersecurity/projects/devguard/assets/devguard/refs/main\"\u003e\u003cimg src=\"https://api.main.devguard.org/api/v1/public/e1f24270-6e68-4571-9168-9c151c639c97/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard%26arch%3Damd64%26tag%3Dmain-amd64/badges/cvss/\" alt=\"CVSS\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e [!NOTE]\n\u003e Join the monthly [DevGuard Open Community Call](https://meet.mailbox.org/room/dad9052b-7b28-40c8-bf6c-462798a88827?invite=1b3e44cc-2e46-4050-8359-bee002d8bbfe) starting from 23.04.26 - always at 17 pm (UTC+2). Help discussing new features, contributions and the development of the project. \n\u003e For support please check out the [community matrix space](https://matrix.to/#/#devguard:matrix.org).\n\n## What is DevGuard?\n\nDevGuard is an open-source platform that gives development teams full visibility and control over vulnerabilities across their software supply chain — from source code and dependencies to container images and deployed artifacts.\n\nIt replaces the patchwork of disconnected scanners, spreadsheets, and manual triage with a single system that **scans, prioritizes, tracks, and documents** security findings across your entire SDLC.\n\nDevGuard is built on open standards exclusively (SBOM, VEX, SARIF, SLSA, in-toto) — no vendor lock-in, no proprietary formats.\n\n\u003cimg alt=\"Dependency risk overview\" src=\"docs/screenshots/dependency-risks.png\" /\u003e\n\n## When should I use DevGuard?\n\nUse DevGuard if you need to:\n\n- **Know what's in your software** — automated SBOM generation and dependency tracking across all your projects\n- **Find and fix vulnerabilities** — continuous scanning (SCA, SAST, secret scanning, IaC, container scanning) integrated into CI/CD\n- **Stop wasting time on noise** — risk-based prioritization that goes beyond raw CVSS scores by factoring in exploitability (EPSS), dependency depth, and your project's CIA assessment\n- **Triage at scale** — VEX-based assessment workflows and reusable VEX rules to handle recurring false positives once, not per-project\n- **Block malicious packages** — dependency firewall for npm, Go, and Python that checks packages before they enter your codebase\n- **Meet compliance requirements** — automated evidence generation for ISO 27001, Cyber Resilience Act (CRA), BSI IT-Grundschutz, and SLSA\n- **Share transparency data** — dynamic SBOM and VEX endpoints that stay current, because what's safe today may have a CVE tomorrow\n\nDevGuard is for developers, DevOps engineers, and security teams. You don't need to be a security expert to use it.\n\n\u003cimg alt=\"VEX rules for triage at scale\" src=\"docs/screenshots/vex-rules.png\" /\u003e\n\n## Key Capabilities\n\n| Capability | What it does |\n|---|---|\n| **Full DevSecOps Pipeline** | Secret scanning, SAST, SCA, IaC scanning, container scanning, license compliance — all from one CLI and CI integration |\n| **Risk-Based Prioritization** | Scores vulnerabilities using `(CVSS-BE × (EPSS + 1)) / 2 / Component Depth` so you fix what actually matters first |\n| **SBOM \u0026 VEX Management** | Works on SBOMs, provides full VEX workflows to document assessments, and serves both via live API endpoints |\n| **Dependency Firewall** | Proxies npm, Go, and Python registries — blocks known-malicious and vulnerable packages before download |\n| **Supply Chain Integrity** | in-toto attestations, SLSA provenance, cosign signatures, reproducible builds with Nix |\n| **Policy Enforcement** | Define organization-wide security policies with OPA/Rego, enforced automatically |\n| **Integrations** | GitHub, GitLab, Jira — scan results as issue |\n\n\u003cimg alt=\"Dependency insights and analytics\" src=\"docs/screenshots/dependency-insights.png\" /\u003e\n\n\u003cimg alt=\"Code risk analysis\" src=\"docs/screenshots/code-risks.png\" /\u003e\n\n## Talks \u0026 Presentations\n\nTo understand the principles behind DevGuard, watch these conference talks:\n\n- **FOSDEM 2026** — *Securing Software for the Public Sector* — [Watch the recording](https://ftp.belnet.be/mirror/FOSDEM/video/2026/aw1120/NK3MJY-securing-software-for-the-public-sector.mp4)\n- **FrOSCon 2025** — *Develop Secure Software — The DevGuard Project* — [Watch the recording](https://media.ccc.de/v/froscon2025-3322-develop_secure_software_-_the_devguard_project)\n\n## Getting Started\n\nThe full documentation lives at **[docs.devguard.org](https://docs.devguard.org)**. It covers installation, quickstart, CI/CD integration, scanner usage, and configuration.\n\nFor details on connecting to your CI, setting up the dependency firewall, or self-hosting in production, see the [documentation](https://docs.devguard.org).\n\n## Live Demo\n\nWe use DevGuard to scan DevGuard itself. Browse the live instance to see real vulnerability data, SBOMs, and VEX assessments:\n\n**[main.devguard.org/l3montree-cybersecurity/projects/devguard](https://main.devguard.org/l3montree-cybersecurity/projects/devguard)**\n\nLive SBOM and VEX data for this project:\n\n| Component | SBOM | VEX |\n|---|---|---|\n| [Backend (this repo)](https://github.com/l3montree-dev/devguard) | [SBOM](https://api.main.devguard.org/api/v1/public/e1f24270-6e68-4571-9168-9c151c639c97/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard%26arch%3Damd64%26tag%3Dmain-amd64/sbom.json/) | [VEX](https://api.main.devguard.org/api/v1/public/e1f24270-6e68-4571-9168-9c151c639c97/refs/main/artifacts/pkg%3Aoci%2Fdevguard%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard%26arch%3Damd64%26tag%3Dmain-amd64/vex.json/) |\n| [Web Frontend](https://github.com/l3montree-dev/devguard-web) | [SBOM](https://api.main.devguard.org/api/v1/public/169319b7-8170-469f-9e31-f87b6054e507/refs/main/artifacts/pkg%3Aoci%2Fdevguard-web%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard-web%26arch%3Damd64%26tag%3Dmain-amd64/sbom.json/) | [VEX](https://api.main.devguard.org/api/v1/public/169319b7-8170-469f-9e31-f87b6054e507/refs/main/artifacts/pkg%3Aoci%2Fdevguard-web%3Frepository_url%3Dghcr.io%2Fl3montree-dev%2Fdevguard-web%26arch%3Damd64%26tag%3Dmain-amd64/vex.json/) |\n\n## Architecture\n\nDevGuard consists of two projects:\n\n- **Backend** (this repo) — Go API server and PostgreSQL\n- **Frontend** — [devguard-web](https://github.com/l3montree-dev/devguard-web) — Next.js web application\n\n## Contributing\n\nContributions are welcome. Read the [contribution guide](./CONTRIBUTING.md) to get started, or pick up a [help wanted](https://github.com/l3montree-dev/devguard/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22) issue.\n\nPlease follow the [Code of Conduct](CODE_OF_CONDUCT.md).\n\n## License\n\nAGPL-3.0-or-later. See [LICENSE.txt](LICENSE.txt).\n\n## Sponsors and Supporters\n\n[![OWASP](./docs/sponsors/sp-owasp.png)](https://owasp.org/)\n[![Bonn-Rhein-Sieg University of Applied Science](./docs/sponsors/sp-hbrs.png)](https://www.h-brs.de/)\n[![WhereGroup](./docs/sponsors/sp-wheregroup.png)](https://wheregroup.com/)\n[![DigitalHub](./docs/sponsors/sp-digitalhub.png)](https://www.digitalhub.de/)\n[![WetterOnline](./docs/sponsors/sp-wetteronline.png)](https://wetteronline.de/)\n[![Ikor](./docs/sponsors/sp-ikor.png)](https://ikor.one/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl3montree-dev%2Fdevguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fl3montree-dev%2Fdevguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fl3montree-dev%2Fdevguard/lists"}