🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
ConceptsOverview

Overview

The DevGuard CI/CD components implement the OWASP DevSecOps pipeline in an optimal way, eliminating the need for extensive cybersecurity expertise. You can integrate the DevGuard CI/CD pipeline with your repository on GitHub or GitLab.

Once integrated, the DevGuard CI/CD pipeline will scan your codebase, identify vulnerabilities, and provide attestation and evidence for completed checks.

On DevGuard, you can manage, prioritize, and resolve vulnerabilities, achieve compliance, and access additional features.

Let’s get your release pre-flight checks done with DevGuard ✅ 🚀

Architecture Overview

DevGuard CI/CD Integration

Learn more about the DevSecOps pipeline steps and how they work together in the DevSecOps section.

The pipeline steps are based on the OWASP DevSecOps pipeline, mixed with the concept to gather evidence and attestation for actions performed in the pipeline. The checks will report via SBOM or SARIF-report vulnerabilities to DevGuard. DevGuard will help you manage, prioritize, and resolve found vulnerabilities.

For detailed setup instructions, refer to setup GitHub integration or setup GitLab integration.

Aggregated Vulnerability Database

DevGuard continuously monitors your project against known vulnerabilities.

To provide you with the most accurate and up-to-date information, and to help you prioritize your remediation efforts, we aggregate data from multiple vulnerability databases (e.g., NVD, EPSS, OSV, Exploit DB, GitHub PoCs, etc.).

Learn more about the aggregated vulnerability database and how it works.

Vulnerability Management & Issue Synchronization

DevGuard provides a centralized view of all vulnerabilities in your codebase, allowing you to prioritize and manage them effectively. Based on the aggregated vulnerability database, you can see the risk level of each vulnerability and prioritize them accordingly.

You can also synchronize issues with external issue trackers, such as GitHub Issues or GitLab Issues (more like Jira in the future). From the issues there, you can also handle the vulnerability management process via slash commands.

Attestation-Based Compliance

A core part of software supply chain security is the ability to securely link the steps in the software supply chain to the final product, provide evidence of the steps taken, and ensure that the final product is built and deployed securely.

DevGuard records the evidence and provides attestation for each step in the DevSecOps pipeline. This allows you to prove that necessary security checks were performed and that the final product is secure. As an attestation is actually a signed statement and DevGuard collects more evidence than just the checks, you can use DevGuard to prove a lot of typical compliance requirements (e.g. from ISO27001, PCI-DSS, etc.).

Learn more in the Attestation & Provenance section.

For a detailed view into the policies written by the DevGuard community, check out the Attestation Compliance Policies GitHub Repo.

Which Data from Your Codebase is Stored?

When DevGuard is integrated with a repository, it performs software composition analysis (SCA) and container scanning on the codebase. It uses Trivy to scan the application’s dependencies and container images in the repository. A Software Bill of Materials (SBOM) is then generated.

The Trivy scan is executed via CLI commands, typically in a CI/CD pipeline where the repository is hosted, such as GitHub, GitLab, or a private GitLab instance.

The results of the scan, including the SBOM, are sent to the DevGuard API using a personal access token generated by the user on DevGuard. This token is securely stored in the repository’s secrets, ensuring that only the repository with the correct token can transmit data to DevGuard. For more information about what and how DevGuard analyzes the SBOM, refer to the SBOM Analysis.

The transfer of data from the repository to DevGuard is conducted through the HTTPS protocol, ensuring secure and encrypted communication.

The transmitted SBOM is analyzed to find vulnerabilities in the codebase by comparing it with DevGuard’s vulnerability databases, which are derived from public sources. DevGuard calculates a risk score based on the founded vulnerabilities and its optimized algorithms.

Access to data stored in DevGuard is restricted to users with the appropriate permissions.

What is a Software Bill of Materials (SBOM)?

Software Bill of Materials (SBOM) is a detailed inventory of all components, dependencies, and libraries within a software application, including their versions, origins, and relationships. Think of it as an ingredient list for software, providing transparency into the third-party and open-source elements used during development. The SBOM doesn’t contain the source code itself but rather metadata about the components.

Mapping Several Assets and Artifacts (e.g., Monorepos)Understanding OWASP DevSecOps Pipeline