Getting Started with DevGuard 🚀

⚠️

We are currently working on the set-up flows for DevGuard - some steps might currently not work as expected. We would love to hear your feedback on the set-up guides. Please don’t hesitate to Please feel free to reach out to us using our Matrix Chat

If you’re new to DevGuard, this guide will help you get started quickly. We’ll walk you through the installation process, basic usage, and how to integrate DevGuard into your development workflow.

Installation

Check out the local quick-start guide.

To try DevGuard with a local container setup, we provide a docker-compose-try-it.yaml:

curl -LO https://raw.githubusercontent.com/l3montree-dev/devguard/refs/heads/main/docker-compose-try-it.yaml \
&& docker-compose -f docker-compose-try-it.yaml up

Sent your first Scan-Report to DevGuard

To send your first scan-report, e.g. of a SCA of a sample project of your choice to DevGuard, follow the steps below:

Create a new project and asset via the DevGuard UI, note the asset name.
Create a new personal access token via the DevGuard UI.
Run the following command inside your local repo to send a SCA report to DevGuard:

docker run --rm \
  -v $(pwd):/repo \
  ghcr.io/l3montree-dev/devguard-scanner:main-latest \
  devguard-scanner sca --assetName=<your-asset-name> --apiUrl=<your-api-url> \
  --token=<your-personal-access-token> --path=/repo \
  --riskManagement=true

or upload a SARIF report to DevGuard.

Available Scanners

☑️ not yet implemented in the scanner, but you can provide a SARIF-report to DevGuard of any scanner
✅ implemented in the scanner, or you can provide a SARIF-report to DevGuard of any scanner

☑️ Secret Scanning (SARIF)
✅ SCA (Software Composition Analysis) devguard-scanner sca (SBOM)
☑️ Static application security testing (SAST) (SARIF)
☑️ Infrastructure as Code (IaC) Scanning (SARIF)
✅ Container Scanning devguard-scanner container-scanning (SBOM)
☑️ Dynamic application security testing (DAST) (SARIF)

Introduction Local Quickstart