External Vulnerability Synchronization

Modern software supply chains involve multiple parties conducting vulnerability assessments. External synchronization enables sharing security intelligence across organizational boundaries, reducing duplicate work. DevGuard imports assessments from upstream sources and exports your own through standardized SBOM and VEX documents.

Importing Upstream Information

DevGuard consumes vulnerability data from external sources in CycloneDX format.

Upload Methods

Web UI: Repository settings → "Identify Risk" → "Custom Setup" → Upload VEX/SBOM files

CLI: Automate uploads with DevGuard scanner:

External URL Sync: Configure periodic fetching from supplier endpoints for continuous integration.

Key Rules

VEX Precedence: VEX assessments override SBOM findings. If VEX states "not affected", DevGuard respects this despite SBOM listing the vulnerability.

Source Tracking: Each document is tracked by origin. Multiple sources can report the same vulnerability.

Paranoid Mode: Require explicit approval before accepting upstream assessments. Enable in repository settings for strict compliance environments.

Exporting Your Assessments

Generate standardized VEX and SBOM documents for downstream consumers.

Public Endpoints

Enable "Public access to vulnerability data" in settings to expose:

/api/v1/public/{assetId}/vex.json    # Vulnerability assessments
/api/v1/public/{assetId}/sbom.json   # Component inventory

Contents: Vulnerability states (Fixed, Not Affected, etc.), justifications, component versions, external references.

Use Cases

Supply Chain Automation: Suppliers publish VEX endpoints → You import → Your customers import your VEX → Eliminates redundant analysis.

Regulatory Compliance: Standardized SBOM/VEX documentation for audits and regulations.

Ecosystem Transparency: Machine-readable security communication across organizational boundaries.

Best Practices

Verify Sources: Use Paranoid Mode for untrusted suppliers.

Document Origins: Use meaningful identifiers (e.g., "Supplier-CompanyX" not just "Scanner").

Maintain Stability: Keep public URLs stable—consumers automate around them.

Review Periodically: External assessments may become outdated.

Vulnerability Lifecycle - Vulnerability management process
Mitigation Strategies - Responding to vulnerabilities

External Vulnerability Synchronization#

Importing Upstream Information#

Upload Methods#

Key Rules#

Exporting Your Assessments#

Public Endpoints#

Use Cases#

Best Practices#

Related Documentation#

Have feedback? We want to hear from you!