Scan Dependencies
Run Software Composition Analysis (SCA) to scan your project dependencies for known vulnerabilities and generate a Software Bill of Materials (SBOM).
DevGuard matches discovered components against the OSV.dev vulnerability database, which covers a wide range of ecosystems including npm, PyPI, Go, Maven, Cargo, NuGet, RubyGems, and many more.
To learn more about how SCA fits into a DevSecOps pipeline, see Software Composition Analysis.
Prerequisites
Before you begin, ensure you have:
- Docker or the
devguard-scannerbinary installed - A personal access token from DevGuard (create one in user settings)
- A repository created in DevGuard
Installation
No installation needed — run the scanner directly via Docker:
docker run ghcr.io/l3montree-dev/devguard/scanner:main-latest devguard-scanner --helpScan Project Dependencies
docker run -v "$(PWD):/dev/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \
devguard-scanner sca \
--path /dev/app/ \
--assetName="myorg/projects/myproject/assets/myrepo" \
--apiUrl="https://api.devguard.org" \
--token="YOUR_TOKEN"Replace myorg/projects/myproject/assets/myrepo with your repository’s slug. You can copy this from the URL when viewing your repository in the DevGuard UI.
Example Output
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| LIBRARY | VULNERABILITY | RISK | CVSS | INSTALLED | FIXED | STATUS |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:golang/github.com/cloudflare/golz4 | GO-2020-0022 | 0 | N/A | 0.0.0-20150217214814-ef862a3cdc58 | v0.0.0-20140711154735N/A99f5f787806 | open |
| | GHSA-4wp2-8rm2-jgmh | 1.50 | 9.8 | 0.0.0-20150217214814-ef862a3cdc58 | v0.0.0-20140711154735N/A99f5f787806 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:golang/github.com/sigstore/rekor | GO-2026-4354 | 0 | N/A | 1.3.10 | v1.5.0 | open |
| | GHSA-273p-m2cw-6833 | 0.49 | 5.3 | 1.3.10 | v1.5.0 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:golang/golang.org/x/crypto | GO-2025-4134 | 0 | N/A | 0.44.0 | v0.45.0 | open |
| | GHSA-f6x5-jh6r-wrfv | 2.45 | 5.3 | 0.44.0 | v0.45.0 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:pypi/requests | GHSA-9hjg-9r4m-mvj7 | 0.81 | 5.3 | 2.32.3 | 2.32.4 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+The output shows each affected library with its vulnerabilities, the contextual Risk score, raw CVSS score, currently installed version, available fix version, and current status.
What the Scanner Does
- Generates SBOM: Creates a complete inventory of all software components and dependencies in your project. See Explaining SBOMs for details on the SBOM format.
- Uploads Data: Sends the SBOM to DevGuard, signed via HTTP Message Signing for integrity verification.
- Server-Side Matching: DevGuard matches all components against its vulnerability database using vulnerability matching and returns results.
Verify it worked: Navigate to your repository in DevGuard. You’ll see detected vulnerabilities listed with severity scores, affected components, and fix recommendations. Learn more about vulnerability types and the vulnerability lifecycle.
CI/CD Integration
For automated dependency scanning in CI/CD pipelines, DevGuard provides ready-to-use integrations:
- GitHub Actions: See Scan with GitHub Actions for setup instructions
- GitLab CI: See Scan with GitLab CI for setup instructions
Advanced Options
Fail on Vulnerability Threshold
Configure the scanner to exit with a non-zero code based on the severity of detected vulnerabilities. This is useful for blocking CI/CD pipelines when critical issues are found.
--failOnRisk=critical
--failOnCVSS=critical| Flag | Description | Options |
|---|---|---|
--failOnRisk | Fail based on DevGuard’s contextual risk score. This factors in EPSS probability, known exploit availability, CISA KEV status, and depth in the dependency tree. | low, medium, high, critical |
--failOnCVSS | Fail based on the raw CVSS score of the vulnerability. | low, medium, high, critical |
--failOnRisk is recommended over --failOnCVSS because it prioritizes vulnerabilities that are actually exploitable in your context, reducing noise from high-CVSS but low-risk findings. Learn more about how DevGuard calculates risk in Risk Scoring.
Artifact Name
Specify an artifact name to track multiple artifacts per repository:
--artifactName="pkg:devguard/orgSlug/projectSlug/repoSlug"Scan Origin
Set a custom origin to track where the scan was triggered from:
--origin="my-custom-origin" # Default is "DEFAULT"Git Reference
Specify Git reference information to associate scans with branches or tags:
--ref="feature-branch" # Git reference (branch, tag, or commit). Default is "main"
--defaultRef="main" # Default Git reference to use. Default is "main"
--isTag=true # Indicates if the reference is a tag. Default is falseDevGuard will attempt to auto-detect Git information from the current directory if these flags are not specified.
Next Steps
- Scan Docker Images — scan container images for vulnerabilities
- Scan Source Code — run SAST analysis on your codebase
- Triaging Vulnerabilities — learn how to triage and manage discovered findings
- Upload an Existing SBOM — import SBOMs generated by other tools