🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →

Open Standards First

DevGuard exclusively uses open, vendor-neutral standards for data exchange and analysis. No proprietary protocols, no vendor lock-in—only industry-standard formats ensuring maximum compatibility across your security toolchain.

Why Open Standards

Vendor Independence: Switch tools without data migration. Your vulnerability data remains accessible regardless of scanners or platforms.

Ecosystem Compatibility: Integrate any tool supporting standard formats—no custom adapters required.

Future-Proof: Standards evolve through community consensus, not vendor roadmaps.

Transparency: Publicly documented and auditable specifications.

🔓

DevGuard’s commitment to open standards means you’re never locked in—export data, switch platforms, or integrate new tools without proprietary barriers.

The Three Core Standards

SBOM (Software Bill of Materials)

Comprehensive inventory of software components, dependencies, and versions.

Formats: CycloneDX (JSON/XML), SPDX (JSON/YAML) Coming Soon

Use Cases: Supply chain transparency, vulnerability tracking, license compliance, dependency analysis.

DevGuard: Generate automatically, import from external tools, export for downstream consumers.

Learn more →

VEX (Vulnerability Exploitability eXchange)

Machine-readable assessments communicating which vulnerabilities affect your products and which don’t, with justifications.

Formats: CycloneDX VEX (JSON/XML), CSAF VEX (JSON)

Use Cases: Reduce false positives, communicate actual exploitability, eliminate redundant analysis.

DevGuard: Document Not Affected assessments, publish VEX endpoints, consume supplier VEX.

Learn more →

SARIF (Static Analysis Results Interchange Format)

Standardized format for static analysis findings including SAST, secret scanning, and code quality issues.

Format: JSON

Use Cases: Integrate diverse analysis tools into unified workflow without tool-specific parsers.

DevGuard: Ingest from any SARIF-compliant tool, combine with SBOM data for unified risk view.

🔄

All three standards supported by major vendors, mandated by regulations (CRA, NTIA), and endorsed by standards bodies (OWASP, CISA).

No Proprietary Protocols

No Vendor Lock-In: Export data in standard formats anytime. Switch platforms without migration projects.

No Format Conversion: Tools output standards, DevGuard consumes standards. No custom converters.

No Closed Specifications: Every format publicly documented with open specifications.

Practical Benefits

Tool Flexibility: Use any scanner—Trivy, Grype, Semgrep, CodeQL—all output standards. Switch tools without DevGuard changes.

Supply Chain Integration: Share data across organizations using formats everyone understands. Import supplier assessments, export yours.

Regulatory Compliance: CRA requires SBOMs, NTIA specifies formats, executive orders reference standards. Using standards positions you for current and future requirements.

SBOM Standards - CycloneDX and SPDX details
CSAF & VEX Standards - Vulnerability communication
External Vulnerability Sync - Importing/exporting data

Risk Calculation System Overview