Administration#

This section covers everything you need to run DevGuard on your own infrastructure: deploying, configuring, securing, maintaining, and upgrading a self-hosted instance.

Architecture overview#

A self-hosted DevGuard deployment consists of four services:

All services are distributed as OCI container images. The recommended production deployment method is the official Helm chart for Kubernetes.

Deployment#

Choose the method that fits your environment:

Post-deployment configuration#

After deploying, configure these settings before onboarding users:

Authentication & access control#

DevGuard supports multiple authentication methods via Ory Kratos. Configure which methods are active and optionally lock down access to specific identity providers:

• Password login — enabled by default
• Passkeys (WebAuthn) — passwordless authentication
• OIDC / SSO — connect GitHub, GitLab, or any OIDC-compatible provider
• OIDC-only mode — disable all other methods to enforce single sign-on
• Disable registration — prevent new user sign-ups and restrict access to invited users

See OIDC & Restricting Access for configuration details.

UI customization#

Customize the web interface to match your organization's branding:

• Inject custom CSS and JavaScript via external URLs
• Configure links for privacy policy, terms of use, and imprint
• Set the account deletion contact email

See Customize the UI.

CSAF support (optional)#

If you intend to publish CSAF (Common Security Advisory Framework) advisories, create a PGP key pair and configure the aggregator name and contact details during Helm chart installation.

See the CSAF section in Deploy with Helm.

Maintenance#

Backups#

DevGuard stores all state in two PostgreSQL databases:

• devguard — application data (projects, assets, vulnerabilities, events)
• kratos — user identities and sessions

Back up both with pg_dump on a regular schedule. See Backup & Restore.

Vulnerability database updates#

The API downloads and maintains a local copy of the vulnerability database automatically:

• On startup: full sync from the latest snapshot
• Periodically: incremental differential updates

The database is sourced from the vulndb OCI registry, cryptographically signed and verified before import. Initial sync after a fresh install can take 5–15 minutes.

See Database Maintenance for monitoring, manual updates, and storage requirements.

Monitoring#

Both services expose health endpoints used by Kubernetes liveness and readiness probes:

• API: GET /api/v1/health
• Web: GET /api/health

For deeper observability, the Helm chart supports optional Prometheus ServiceMonitors (requires Prometheus Operator) and a Grafana dashboard for span metrics when distributed tracing is enabled.

See Monitoring & Metrics.

Upgrades#

DevGuard runs database migrations automatically on startup — no manual migration steps required.

Before upgrading:

1. Check the changelog for breaking changes
2. Create a database backup
3. Test in staging if possible

For Kubernetes deployments, upgrade with helm upgrade. For Docker Compose, update the image tags and restart.

See Upgrade DevGuard.

Uninstalling#

DevGuard is designed for digital sovereignty — you own your data and can leave at any time.

Uninstalling involves three components:

• Server infrastructure — helm delete or docker-compose down
• DevGuard CLI — remove the devguard-scanner binary
• CI/CD components — remove the reusable workflow or GitLab CI component from your repositories

See Uninstalling DevGuard for full instructions and a list of alternative open-source tools.

Quick reference#