Overview

Which Data from Your Codebase is Stored in DevGuard?

When DevGuard is integrated with a repository, it performs software composition analysis (SCA) and container scanning on the codebase. It uses Trivy to scan the application’s dependencies and container images in the repository. A Software Bill of Materials (SBOM) is then generated.

The Trivy scan is executed via CLI commands, typically in a CI/CD pipeline where the repository is hosted, such as GitHub, GitLab, or a private GitLab instance.

The results of the scan, including the SBOM, are sent to the DevGuard API using a personal access token generated by the user on DevGuard. This token is securely stored in the repository’s secrets, ensuring that only the repository with the correct token can transmit data to DevGuard. For more information about what and how DevGuard analyzes the SBOM, refer to the SBOM Analysis.

The transfer of data from the repository to DevGuard is conducted through the HTTPS protocol, ensuring secure and encrypted communication.

The transmitted SBOM is analyzed to find vulnerabilities in the codebase by comparing it with DevGuard’s vulnerability databases, which are derived from public sources. DevGuard calculates a risk score based on the founded vulnerabilities and its optimized algorithms.

Access to data stored in DevGuard is restricted to users with the appropriate permissions.

SBOM

A Software Bill of Materials (SBOM) is a detailed inventory of all components, dependencies, and libraries within a software application, including their versions, origins, and relationships. Think of it as an ingredient list for software, providing transparency into the third-party and open-source elements used during development. The SBOM doesn’t contain the source code itself but rather metadata about the components.