Research & Development

Publications & Whitepapers

Our latest research and development work on software supply chain security, vulnerability management, and cloud-native security. Browse whitepapers and academic publications produced alongside the DevGuard project.

Apr 2026 · EN

Bit-for-Bit: How we built a sovereign, reproducible container supply chain for DevGuard

This paper presents how the DevGuard project rebuilt its OCI container supply chain around reproducible Nix builds and independent dual-platform digest verification to reduce trust assumptions in modern software delivery. By combining hermetic builds, Sigstore attestations, and digest comparison across GitHub Actions and sovereign GitLab infrastructure on container.gov.de, the approach provides a practically verifiable integrity guarantee against build tampering beyond provenance alone.

Tim Bastin

PDF download

Apr 2026 · EN

Developing a Trust-Based Knowledge-Based Collaborative Filtering Hybrid Recommender System to share vulnerability management decisions in DevGuard

Project report exploring a hybrid recommender system that fuses trust-based and knowledge-based collaborative filtering to share VEX assessments and vulnerability-management decisions across DevGuard users.

Dennis Tuan Anh Quach

PDF download

Nov 2025 · DE

Cyber Resilience Act in der Softwareentwicklung: Herausforderungen und Lösungsansätze für deutsche Unternehmen

Untersuchung der zentralen Herausforderungen und konkreter Lösungsansätze, die der Cyber Resilience Act für die Softwareentwicklung in deutschen Unternehmen mit sich bringt.

Frederic Noppe

PDF download

Jan 2026 · DE

VeXing NPM: Callgraph-Analyse für die Reduzierung von False-Positives bei der Schwachstellenidentifikation in JavaScript

Callgraph-Analyse für die Reduzierung von False-Positives bei der Schwachstellenidentifikation in JavaScript-Paketen — angewandt auf das npm-Ökosystem im Kontext von DevGuard.

Tim Bastin

PDF download

Februar 2025 · DE

Open Source SCA-Scanner

Untersuchung der Erkennungsraten und Einflussfaktoren verschiedener Open Source Software Composition Analysis (SCA) Scanner.

Refaei Shikho

PDF download

Research focus

What we research

We work with academic partners to make DevGuard better — through usability studies, test events, ecosystem analysis, and adversarial research on the modern software supply chain.

Usability studies

Empirical studies on how developers interact with security tooling — what works, what gets in the way, and where DevGuard can do better.

Usability test events

Hands-on test events with developers and security practitioners to surface friction in real workflows and validate design decisions.

Scanners & ecosystems

Comparative research on open-source SCA, SAST, and container scanners across npm, Go, Python, and the broader package ecosystem.

Supply chain attacks

Analysis of real-world supply-chain attacks, malicious packages, and threat models — feeding directly into DevGuard detections.

In cooperation with

Researching software supply chain security?

We collaborate with students and researchers on theses, papers, and applied projects around DevGuard.