Dependency Risk vs First-Party Risk
DevGuard distinguishes between Dependency Risk from third-party components and First-Party Risk from your own code. Both require different detection methods but share unified remediation workflows through SBOM, SARIF, and VEX.
graph TD
A[Your Application] --> B[Dependency Risk<br/>Third-party Code]
A --> C[First-Party Risk<br/>Your Code]
B --> D[SCA Tools<br/>SBOM/SARIF/VEX]
C --> E[SAST/Secrets/IaC<br/>SBOM/SARIF/VEX]
D --> F[Unified Management]
E --> F
style A fill:#e3f2fd,stroke:#1976d2,stroke-width:3px,color:#000
style B fill:#fff3e0,stroke:#f57c00,stroke-width:2px,color:#000
style C fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000
style F fill:#e8f5e9,stroke:#388e3c,stroke-width:3px,color:#000
Dependency Risk
What: Security vulnerabilities in third-party libraries, packages, and dependencies. CVEs in code you didn't write.
Examples: Known CVE in express@4.17.1, SQL injection in database driver, outdated system packages.
Detection: Software Composition Analysis (SCA) tools scan dependencies, generate SBOMs, match against vulnerability databases.
Remediation: Update to patched versions, remove dependencies, or mark "Not Affected" with justification.
First-Party Risk
What: Security issues in your own code, configuration, and infrastructure. Vulnerabilities you introduced.
Examples: Hardcoded secrets, SQL injection in your logic, insecure S3 permissions in Terraform, missing authentication.
Detection: SAST (Static Application Security Testing), secret scanning, IaC scanning analyze your code. Results as SARIF or SBOM/VEX.
Remediation: Fix your code, rotate secrets, update configurations, implement security controls.
Key Differences
| Aspect | Dependency Risk | First-Party Risk |
|---|---|---|
| Source | Third-party code | Your code |
| Detection | SCA (Trivy, Grype) | SAST, Secret/IaC scanners |
| Format | SBOM, VEX | SARIF, SBOM, VEX |
| Remediation | Update dependencies | Fix your code |
Unified Management
DevGuard handles both through common workflows:
Ingestion: SBOM for dependencies, SARIF for code issues, VEX for both
Assessment: Single risk scoring regardless of source
Triage: Same states (Affected, Not Affected, Fixed, Under Investigation)
Tracking: Unified issue tracker integration and audit trails
View: Combined dashboard showing all risks prioritized by actual severity
Example: Repository shows CVE in express, hardcoded secret, SQL injection in your code—all in one prioritized list sorted by risk, not source.
Related Documentation
- Vulnerability Lifecycle - Managing all vulnerability types
- Vulnerability Risk Assessment - Risk calculation