Manage your CVEs seamlessly, Integrate your Vulnerability Scanners, Documentation made easy, Compliance to security Frameworks
Report Bug
·
Request Feature
·
Sponsors
Table of Contents
DevGuard is built by developers, for developers, aiming to simplify the complex world of vulnerability management. Our goal is to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.
We are using DevGuard to scan and manage the risks of DevGuard itself—essentially eating our own dogfood. The project can be found here:
We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We've integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:
Project | SBOM | VeX |
---|---|---|
Devguard Golang API | SBOM | VeX |
Devguard Web-Frontend | SBOM | VeX |
Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection and management, compliant with common security frameworks.
In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.
Not all vulnerabilities pose the same level of risk to your project. Effective prioritization of vulnerabilities is crucial to ensure that resources are focused on addressing the most critical issues. DevGuard helps you focus on what truly matters by providing risk assessments based on CVSS scores, exploit availability (ExploitDB), and real-world threat data (EPSS). This approach converts a generic --exit-code 1 --severity CRITICAL
(like trivy has it) to a more practical --exit-code 1 --risk CRITICAL
strategy, ensuring that you address vulnerabilities that could have the most significant impact on your software.
To further illustrate the importance of prioritizing vulnerabilities, consider our Sankey diagram, which demonstrates how many high CVSS vulnerabilities are reassessed and reprioritized. The diagram shows that a significant portion of these vulnerabilities are mapped to EPSS scores in the 0-10% range, indicating a lower likelihood of exploitation. This visual representation underscores the necessity of a nuanced approach to vulnerability management, where not all "critical" CVEs are treated equally, but rather prioritized based on their actual risk.
Sankey diagram showing the CVSS Base-Score and the adjusted score after applying threat intelligence and the application security requirements to the cvss calculation. The scores then get mapped to their corresponding EPSS (Exploit prediction scoring system).
- Developer-Centric Integration: DevGuard fits naturally into your existing CI/CD workflows, reducing friction and enhancing productivity. It supports the OWASP DevSecOps pipeline, offering tools (we just reuse open source tools but provide a simplified wrapper cli) for secret scanning (coming soon), SAST (coming soon), SCA, IaC scanning (coming soon), container scanning (coming soon), and DAST (coming soon).
- Automated Security Monitoring: Continuous monitoring using Software Bill of Materials (SBOMs) to keep your projects secure.
- Risk Assessment: Automatically assesses and prioritizes risks to help you address the most critical vulnerabilities first — no really, we do this pragmatically and automate where possible! (Our base: CVSS, exploitdb, EPSS)
- Compliance: Ensures your projects meet security standards like ISO/IEC 27001 and PCI-DSS.
- Security and confidentiality: We prioritize the security of this software! In an expansion stage and in cooperation with research institutions, we want to make confidential data processing usable for the secure handling of sensitive information (confidential computing).
DevGuard aims to accompany developers in implementing the OWASP-DevSecOps pipeline in the best way possible, without requiring extensive cybersecurity knowledge. We plan provide a wrapper CLI to a curated list of scanners for different stages and seamless integration with the management backend, ensuring that security is integrated smoothly into the development workflow.
The OWASP DevSecOps pipeline integrates security practices into the DevOps process, ensuring that security is an integral part of the software development lifecycle. The pipeline includes the following key stages and practices:
- Detects and manages sensitive information such as API keys and passwords that may be accidentally committed to the codebase.
- Helps prevent security breaches by identifying secrets early in the development process.
- Utilizes Software Bill of Materials (SBOMs) to conduct thorough software composition analysis.
- Helps in identifying and managing dependencies and their associated vulnerabilities.
- Prioritizes CVEs using various threat intelligence sources such as EPSS and ExploitDB.
- Focuses on the real risk posed by vulnerabilities, converting "—fail-on-critical" to "—fail-on-real-risk-critical".
- Syncs with the National Vulnerability Database (NVD) to ensure up-to-date information on vulnerabilities.
- Supports a crowdsourced approach to vulnerability management.
- If a dependency (A) has another dependency (B) with a CVE, users can consult A to determine the relevance of B's CVE to their project.
- Allows marking vulnerabilities as false positives, sharing this information across the user community for the same A -> B relationship.
- Analyzes source code to identify security vulnerabilities early in the development process.
- Provides developers with actionable insights to fix vulnerabilities before they become critical issues.
- Ensures that infrastructure definitions and configurations adhere to security best practices.
- Detects misconfigurations and vulnerabilities in IaC templates early in the development cycle.
- Scans container images for vulnerabilities, ensuring that the containerized applications are secure.
- Helps maintain the security of containerized environments by identifying and mitigating risks in container images.
- Tests running applications to identify vulnerabilities that may not be visible in the source code.
- Simulates real-world attacks to uncover potential security weaknesses in live environments.
Based on emerging standards such as the Vulnerability Exploitability eXchange (VEX) and our goal of increasing overall software security through the dissemination of DevGuard, we want to make expert information available from the source.
“The goal of Vulnerability Exploitability eXchange (VEX) is to allow a software supplier or other parties to assert the status of specific vulnerabilities in a particular product.” (CISA)
VEX is an advanced form of security advisory that provides several key advantages over conventional methods:
- Machine Readability
- Enhanced SBOM Integration
- Automation Support
For instance, consider an open-source project, “XY-Example,” which detects a vulnerability through a dependency. Upon closer inspection, the developers determine that the specific conditions required to exploit this vulnerability are not present in their software. This expert assessment can be recorded and disseminated through VEX, making it accessible and usable for all users of the “XY-Example” software. This exchange of vulnerability information drastically reduces the effort required for vulnerability management, as users can rely on expert evaluations to determine their exposure to potential threats.
If the VEX is not available and in its addition, we can also use the knowledge of the crowd. If enough users confirm that a vulnerability in a software is not relevant, we can make this information available to others as a preset. In this way, we expand the foundation for joint vulnerability management and make it even easier.
-
Clone the repo
git clone [email protected]:l3montree-dev/devguard.git && cd devguard
-
Install Go, Docker & Docker-Compose
-
Copy the
.env.example
file to.env
and adjust the values to your needscp .env.example .env cp .kratos/kratos.example.yml .kratos/kratos.yml
-
Run the following command to start the necessary services
docker compose up
-
Start the application by running the following command
make
We welcome contributions! Please read our contribution guide if you would like to report a bug, ask a question, write issues, or help us with coding. All help is appreciated!
Help us keep DevGuard open and inclusive. Please read and follow our Code of Conduct.
DevGuard is divided into two projects: A frontend (DevGuard Web) and a backend (DevGuard Backend).
Backend (this project):
Frontend:
- Please refer to: DevGuard-Web on Github
Distributed under the AGPL-3.0-or-later License. See LICENSE.txt
for more information.
We are proud to be supported and working together with the following organizations:
docker build . -f Dockerfile.scanner -t devguard-scanner
docker run -v "$(PWD):/app" scanner devguard-scanner sca \
--assetName="<ASSET NAME>" \
--apiUrl="http://host.docker.internal:8080" \
--token="<TOKEN>" \
--path="/app"
go run ./cmd/devguard-scanner/main.go sca \
--assetName="<ASSET NAME>" \
--apiUrl="http://localhost:8080" \
--token="<TOKEN>"
docker run --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:latest --dockerfile=/workspace/Dockerfile --context=/workspace --tarPath=/workspace/image.tar --no-push
docker run -v "$(PWD):/app" scanner devguard-scanner container-scanning \
--assetName="<ASSET NAME>" \
--apiUrl="http://host.docker.internal:8080" \
--token="<TOKEN>" \
--path="/app/image.tar"
# we need to create a clean directory for the in-toto verification
# since we are recording the files inside the directory
mkdir test-env
go run ../cmd/devguard-scanner intoto verify \
--assetName=l3montree-cybersecurity/projects/devguard/assets/devguard-action \
--token=<Personal Access Token> \
--apiUrl="https://api.main.devguard.org" \
--layoutKey=../intoto-public-key.pem ghcr.io/l3montree-dev/devguard-action:in-toto-c23783cd-1732437352 # extracts the commit hash from the image name which we use as "supply chain id"