Dependency Risk vs First-Party Risk

DevGuard distinguishes between Dependency Risk from third-party components and First-Party Risk from your own code. Both require different detection methods but share unified remediation workflows through SBOM, SARIF, and VEX.

Dependency Risk

What: Security vulnerabilities in third-party libraries, packages, and dependencies. CVEs in code you didn't write.

Examples: Known CVE in express@4.17.1, SQL injection in database driver, outdated system packages.

Detection: Software Composition Analysis (SCA) tools scan dependencies, generate SBOMs, match against vulnerability databases.

Remediation: Update to patched versions, remove dependencies, or mark "Not Affected" with justification.

First-Party Risk

What: Security issues in your own code, configuration, and infrastructure. Vulnerabilities you introduced.

Examples: Hardcoded secrets, SQL injection in your logic, insecure S3 permissions in Terraform, missing authentication.

Detection: SAST (Static Application Security Testing), secret scanning, IaC scanning analyze your code. Results as SARIF or SBOM/VEX.

Remediation: Fix your code, rotate secrets, update configurations, implement security controls.

Key Differences

AspectDependency RiskFirst-Party Risk
SourceThird-party codeYour code
DetectionSCA (Trivy, Grype)SAST, Secret/IaC scanners
FormatSBOM, VEXSARIF, SBOM, VEX
RemediationUpdate dependenciesFix your code

Unified Management

DevGuard handles both through common workflows:

Ingestion: SBOM for dependencies, SARIF for code issues, VEX for both
Assessment: Single risk scoring regardless of source
Triage: Same states (Affected, Not Affected, Fixed, Under Investigation)
Tracking: Unified issue tracker integration and audit trails
View: Combined dashboard showing all risks prioritized by actual severity

Example: Repository shows CVE in express, hardcoded secret, SQL injection in your code—all in one prioritized list sorted by risk, not source.

Have feedback? We want to hear from you!

Fields marked with * are required