Introduction

DevGuard

Mission

DevGuard is built by developers, for developers, aiming to integrate security seamlessly into the software development lifecycle, ensuring that security practices are accessible and efficient for everyone, regardless of their security expertise.

The problem we solve

Identifying and managing software vulnerabilities is an increasingly critical challenge. Developers often face security issues without the proper training or tools that fit into their everyday workflows. DevGuard is a developer-centered software designed to provide simple, modern solutions for vulnerability detection, management and technical compliance with common security frameworks.

In 2023 alone, cyberattacks caused approximately 206 billion euros in damage only in Germany. Many of these attacks exploited software vulnerabilities. With agile and DevOps methodologies becoming standard, the need for integrating security into the development process has never been greater. We aim to fill this gap with DevGuard, offering a seamless integration of vulnerability management into development workflows.

Is DevGuard for you?

Question Gopher

If you’re a developer, DevOps engineer, or security-conscious team looking to make software security practical, easy, and integrated — DevGuard is built for you.

Here’s how DevGuard makes that possible:

  • Risk Management for Developers: DevGuard provides a comprehensive risk management system that allows developers to assess, prioritize, and manage vulnerabilities effectively. It integrates with your existing workflows, making it easy to track and resolve security issues.

  • Auto Setup for Projects: One-click default setup for CI pipelines and workflows that:

    • Scan your code for secrets
    • Scan your dependencies (SCA)
    • Build and scan your container images
    • Perform static code analysis (SAST)
    • Check infrastructure-as-code files for misconfigurations (IaC scanning)
    • Check for open source license issues
  • Developer-Centric Integration: DevGuard fits naturally into your existing CI/CD workflows, reducing friction and enhancing productivity. It supports the OWASP DevSecOps pipeline with simplified CLI wrappers around widely-used open source tools.

  • Integration with Issue Trackers: Automatically create issues in your preferred issue tracker (like GitHub, GitLab, or Jira) for identified vulnerabilities, making it easy to track and manage security tasks (with slash commands).

  • Bring Your Own Scanner: Already have SBOMs or use SARIF-format tools? No problem—DevGuard can ingest your data for unified risk visibility.

  • Automated Security Monitoring: Continuously monitor your projects using SBOMs to ensure you’re aware of known vulnerabilities.

  • Risk Assessment That Works: DevGuard pragmatically assesses and prioritizes vulnerabilities using CVSS, ExploitDB, EPSS, and other sources—automating what can be automated so you can focus on fixing the highest risks first.

  • Compliance-Ready: Helps you meet requirements for software development of standards like ISO/IEC 27001 and PCI-DSS with minimal effort.

Demo

We are using DevGuard to scan and manage the risks of DevGuard itself—essentially eating our own dogfood. The project can be found here: Public DevGuard Project

We believe VEX information should be shared via a link due to its dynamic nature, as what is risk-free today may be affected by a CVE tomorrow. We’ve integrated the DevGuard risk scoring into the metrics, with detailed documentation on its calculation to follow soon. SBOM and VEX data are always up to date at these links:

ProjectSBOMVeX
Devguard Golang APISBOMVeX
Devguard Web-FrontendSBOMVeX

License

DevGuard’s source code is distributed under the AGPL-3.0-or-later license. See our LICENSE.txt for more information.

Sponsors & Partners

We are proud to be supported and working together with the following organizations:

OWASP
Ikor One
Hochschule Bonn-Rhein-Sieg
Bonn Consulting Group
WhereGroup
DIGITALHUB.DE
Wetteronline
Universität Gießen
SaltRock GmbH