Open-source vulnerability management for the full software supply chain.
An OWASP Incubating Project.
Documentation
·
Live Demo
·
Report Bug
·
Chat (Matrix)
Note
Join the monthly DevGuard Open Community Call starting from 23.04.26 - always at 17 pm (UTC+2). Help discussing new features, contributions and the development of the project. For support please check out the community matrix space.
DevGuard is an open-source platform that gives development teams full visibility and control over vulnerabilities across their software supply chain — from source code and dependencies to container images and deployed artifacts.
It replaces the patchwork of disconnected scanners, spreadsheets, and manual triage with a single system that scans, prioritizes, tracks, and documents security findings across your entire SDLC.
DevGuard is built on open standards exclusively (SBOM, VEX, SARIF, SLSA, in-toto) — no vendor lock-in, no proprietary formats.
Use DevGuard if you need to:
- Know what's in your software — automated SBOM generation and dependency tracking across all your projects
- Find and fix vulnerabilities — continuous scanning (SCA, SAST, secret scanning, IaC, container scanning) integrated into CI/CD
- Stop wasting time on noise — risk-based prioritization that goes beyond raw CVSS scores by factoring in exploitability (EPSS), dependency depth, and your project's CIA assessment
- Triage at scale — VEX-based assessment workflows and reusable VEX rules to handle recurring false positives once, not per-project
- Block malicious packages — dependency firewall for npm, Go, and Python that checks packages before they enter your codebase
- Meet compliance requirements — automated evidence generation for ISO 27001, Cyber Resilience Act (CRA), BSI IT-Grundschutz, and SLSA
- Share transparency data — dynamic SBOM and VEX endpoints that stay current, because what's safe today may have a CVE tomorrow
DevGuard is for developers, DevOps engineers, and security teams. You don't need to be a security expert to use it.
| Capability | What it does |
|---|---|
| Full DevSecOps Pipeline | Secret scanning, SAST, SCA, IaC scanning, container scanning, license compliance — all from one CLI and CI integration |
| Risk-Based Prioritization | Scores vulnerabilities using (CVSS-BE × (EPSS + 1)) / 2 / Component Depth so you fix what actually matters first |
| SBOM & VEX Management | Works on SBOMs, provides full VEX workflows to document assessments, and serves both via live API endpoints |
| Dependency Firewall | Proxies npm, Go, and Python registries — blocks known-malicious and vulnerable packages before download |
| Supply Chain Integrity | in-toto attestations, SLSA provenance, cosign signatures, reproducible builds with Nix |
| Policy Enforcement | Define organization-wide security policies with OPA/Rego, enforced automatically |
| Integrations | GitHub, GitLab, Jira — scan results as issue |
To understand the principles behind DevGuard, watch these conference talks:
- FOSDEM 2026 — Securing Software for the Public Sector — Watch the recording
- FrOSCon 2025 — Develop Secure Software — The DevGuard Project — Watch the recording
The full documentation lives at docs.devguard.org. It covers installation, quickstart, CI/CD integration, scanner usage, and configuration.
For details on connecting to your CI, setting up the dependency firewall, or self-hosting in production, see the documentation.
We use DevGuard to scan DevGuard itself. Browse the live instance to see real vulnerability data, SBOMs, and VEX assessments:
main.devguard.org/l3montree-cybersecurity/projects/devguard
Live SBOM and VEX data for this project:
| Component | SBOM | VEX |
|---|---|---|
| Backend (this repo) | SBOM | VEX |
| Web Frontend | SBOM | VEX |
DevGuard consists of two projects:
- Backend (this repo) — Go API server and PostgreSQL
- Frontend — devguard-web — Next.js web application
Contributions are welcome. Read the contribution guide to get started, or pick up a help wanted issue.
Please follow the Code of Conduct.
AGPL-3.0-or-later. See LICENSE.txt.
