🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →

External Vulnerability Synchronization

Modern software supply chains involve multiple parties conducting vulnerability assessments. External synchronization enables sharing security intelligence across organizational boundaries, reducing duplicate work. DevGuard imports assessments from upstream sources and exports your own through standardized SBOM and VEX documents.

Importing Upstream Information

DevGuard consumes vulnerability data from external sources in CycloneDX format.

Upload Methods

Web UI: Repository settings → “Identify Risk” → “Custom Setup” → Upload VEX/SBOM files

CLI: Automate uploads with DevGuard scanner:

devguard-scanner vex --token xyz --assetName my-org/my-repo vex.json
devguard-scanner sbom --token xyz --assetName my-org/my-repo sbom.json

External URL Sync: Configure periodic fetching from supplier endpoints for continuous integration.

Key Rules

VEX Precedence: VEX assessments override SBOM findings. If VEX states “not affected”, DevGuard respects this despite SBOM listing the vulnerability.

Source Tracking: Each document is tracked by origin. Multiple sources can report the same vulnerability.

Paranoid Mode: Require explicit approval before accepting upstream assessments. Enable in repository settings for strict compliance environments.

🔗

External URL sync enables automated supply chain transparency—suppliers publish endpoints, DevGuard continuously ingests their latest assessments.

Exporting Your Assessments

Generate standardized VEX and SBOM documents for downstream consumers.

Public Endpoints

Enable “Public access to vulnerability data” in settings to expose:

/api/v1/public/{assetId}/vex.json    # Vulnerability assessments
/api/v1/public/{assetId}/sbom.json   # Component inventory

Contents: Vulnerability states (Fixed, Not Affected, etc.), justifications, component versions, external references.

Use Cases

Supply Chain Automation: Suppliers publish VEX endpoints → You import → Your customers import your VEX → Eliminates redundant analysis.

Regulatory Compliance: Standardized SBOM/VEX documentation for audits and regulations.

Ecosystem Transparency: Machine-readable security communication across organizational boundaries.

📄

Public endpoints enable customers to configure their DevGuard instances to sync from your endpoints automatically.

Best Practices

Verify Sources: Use Paranoid Mode for untrusted suppliers.

Document Origins: Use meaningful identifiers (e.g., “Supplier-CompanyX” not just “Scanner”).

Maintain Stability: Keep public URLs stable—consumers automate around them.

Review Periodically: External assessments may become outdated.

Vulnerability Lifecycle - Vulnerability management process
Vulnerability States - VEX states and justifications
Mitigation Strategies - Responding to vulnerabilities

Vulnerability Event System Dependency Graph