Repository Versions (Branches & Tags)#

DevGuard tracks vulnerabilities across multiple branches or tags within each repository, mirroring your Git workflow. Like Git's branch and tag management, DevGuard scans and manages security findings independently per branch or tag — enabling separate vulnerability tracking for production, development, and feature branches.

graph TD
    A[Repository] --> B[main]
    A --> C[develop]
    A --> D[feature branch]
    
    B --> E[CVE-2024-001<br/>CVE-2024-002]
    C --> F[CVE-2024-001<br/>CVE-2024-003]
    D --> G[CVE-2024-004]
    
    style A fill:#e3f2fd,stroke:#1976d2,stroke-width:3px,color:#000
    style B fill:#e8f5e9,stroke:#388e3c,stroke-width:2px,color:#000
    style C fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000
    style D fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000

Independent Vulnerability Management#

Each branch or tag maintains its own vulnerability findings, risk assessments, and remediation status. A vulnerability fixed in main doesn't automatically resolve in develop—branches are tracked independently.

Why: Different branches contain different code and dependencies. A feature branch might introduce new dependencies with vulnerabilities not present in main. Production branches might use different versions than development.

Example: main uses express@4.18.2 (patched), while develop uses express@4.17.1 (vulnerable). DevGuard tracks the vulnerability in develop while showing main as fixed.

Vulnerability Handling Per Branch#

State Management#

VEX states managed per branch:

• Mark "Not Affected" in main after analysis
• Same vulnerability remains "Affected" in develop with different code paths
• Independent justifications per branch
• You can use query parameters to filter on vex live data endpoints per branch, e.g. ?ref=develop to see only develop branch VEX data.

Remediation Workflow#

1. Patch in feature branch
2. Merge to develop with testing
3. Merge to main for production
4. DevGuard tracks progression automatically as your new scan results flow through branches. Vulnerability status updates as fixes merge.

Use Cases#

Production vs Development: High security requirements in main, lower in develop for faster iteration without blocking development.

Release Branches: Track release/v2.0 separately—only critical patches allowed, different from active main development.

Feature Branch Scanning: Scan on pull requests to catch issues before merge without permanent tracking overhead.

Branch Comparison: Identify vulnerabilities fixed in main but still present in develop requiring backport.

Related Documentation#

• DevGuard Hierarchy - Organization, groups, repositories
• Vulnerability Lifecycle - Managing vulnerabilities