What is DevGuard?

DevGuard is an open-source vulnerability management platform built by developers, for developers. As an OWASP Incubating Project, DevGuard simplifies the complex world of vulnerability management by integrating security seamlessly into the software development lifecyclemaking security practices accessible and efficient regardless of security expertise.

Core Mission

Developer-Centric Security: Security tools shouldn't disrupt development workflows. DevGuard fits naturally into existing CI/CD pipelines, providing vulnerability intelligence where developers already work.

Transparency over Obscurity: Modern software development demands full visibility into dependencies and vulnerabilities. DevGuard provides complete transparency through automated SBOM generation and dependency graphs.

Risk-Based Prioritization: Not all vulnerabilities are equally impactful. DevGuard enhances existing CVSS scores with exploitability data, organizational context, and attack surface analysisensuring the most important vulnerabilities are handled first.

Compliance Made Manageable: Technical compliance with security frameworks (ISO 27001, CRA, BSI IT-Grundschutz) shouldn't be a burden. DevGuard automates compliance documentation, audit trails, and evidence generation.

The Challenge

In 2023 alone, cyberattacks caused approximately206 billion in damage in Germany alone, with many exploiting software vulnerabilities. Developers face security issues without proper training or tools fitting their workflows. Meanwhile, common vulnerability scanners generate overwhelming findingsoften 50-80% false positivescreating alert fatigue and obscuring genuine threats.

Traditional security tools treat vulnerability management as separate from development, creating friction and unnecessary overhead. Developers need security integrated into their existing workflows, not as parallel processes demanding context switching.

The Solution

DevGuard bridges this gap through:

Seamless Integration: One-click setup for CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins). Scanner CLI integrates into existing workflows without disrupting development velocity.

Intelligent Risk Assessment: Multi-dimensional risk scoring combining CVSS technical severity, EPSS exploitation probability, organizational security requirements, and component depth analysis.

Supply Chain Transparency: Automated SBOM and VEX generation providing complete dependency visibility. Dependency graphs visualize complex relationships, enabling informed decisions about component risks.

Bring Your Own Scanner: Already using Trivy, Grype, Semgrep, or other tools? DevGuard ingests SBOM and SARIF reports for unified risk visibility across scanners.

Issue Tracker Integration: Automatically create tickets in GitHub Issues, GitLab Issues, or Jira to track identified vulnerabilities. Bidirectional synchronization keeps security work visible in normal development workflows.

Automated Compliance: Generate audit trails, compliance reports, and documentation automatically. Map vulnerability handling to ISO 27001, CRA, and other framework requirements without manual documentation overhead.

Open Source & Community

AGPL-3.0 License: Full transparency and no vendor lock-in. Self-host on-premise or use existing cloud deployments.

OWASP Incubating Project: Community-driven development following OWASP principles and standards.

Made in Germany: Developed by L3montree with a focus on data sovereignty, privacy, and European compliance requirements.

Active Development: Continuously evolving with community contributions, a public roadmap, and transparent issue tracking on GitHub.

Key Differentiators

Dynamic VEX: VEX information shared via links rather than static fileswhat's risk-free today may be affected by CVEs tomorrow. Live VEX endpoints ensure assessments stay current.

Attestation-based Compliance: Support for in-toto attestations and SLSA compliance monitoring and securing supply chain integrity.

Developer Experience: Built by developers who understand actual workflows. Minimally invasive integration preserving development velocity while improving security posture.

Pragmatic Automation: Automate what can be automated (scanning, SBOM generation, risk scoring) while preserving human judgment for strategic decisions (risk acceptance, mitigation approaches).