🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
ExplanationsCore ConceptsBranching Models

Repository Versions (Branches)

DevGuard tracks vulnerabilities across multiple branches within each repository, mirroring your Git workflow. Like GitLab’s branch management, DevGuard scans and manages security findings independently per branch—enabling separate vulnerability tracking for production, development, and feature branches.

Independent Vulnerability Management

Each branch maintains its own vulnerability findings, risk assessments, and remediation status. A vulnerability fixed in main doesn’t automatically resolve in develop—branches are tracked independently.

Why: Different branches contain different code and dependencies. A feature branch might introduce new dependencies with vulnerabilities not present in main. Production branches might use different versions than development.

Example: main uses express@4.18.2 (patched), while develop uses express@4.17.1 (vulnerable). DevGuard tracks the vulnerability in develop while showing main as fixed.

🌿

Track only meaningful branches—typically main, develop, and active release branches. Tracking every feature branch creates noise.

Branch Selection

Default: main branch tracked automatically.

Additional branches: Enable tracking for develop, staging, or release branches in repository settings.

Feature branches: Scan on-demand during CI/CD without permanent tracking.

Vulnerability Handling Per Branch

State Management

VEX states managed per branch:

  • Mark “Not Affected” in main after analysis
  • Same vulnerability remains “Affected” in develop with different code paths
  • Independent justifications per branch

Risk Scores

Calculated independently per branch based on:

  • Component versions (different dependencies = different scores)
  • Component depth (dependency tree structure varies)
  • Security requirements (production vs development CIA settings)

Remediation Workflow

  1. Patch in feature branch
  2. Merge to develop with testing
  3. Merge to main for production
  4. DevGuard tracks progression automatically
🔄

DevGuard detects when dependency updates flow through branches. Vulnerability status updates automatically as fixes merge.

Use Cases

Production vs Development: High security requirements in main, lower in develop for faster iteration without blocking development.

Release Branches: Track release/v2.0 separately—only critical patches allowed, different from active main development.

Feature Branch Scanning: Scan on pull requests to catch issues before merge without permanent tracking overhead.

Branch Comparison: Identify vulnerabilities fixed in main but still present in develop requiring backport.

Setup

  1. Repository settings → select branches for tracking
  2. Configure CIA requirements per branch if needed
  3. Add DevGuard scanning to CI/CD pipeline per branch
  4. Establish merge policies (which severities block merges)

Related Documentation

Hierarchy of DevGuardArtifacts