Deploy DevGuard with Docker Compose

Run DevGuard using Docker Compose — suitable for evaluation, self-hosted setups, or production when Kubernetes is not available.

Prerequisites

  • Docker and Docker Compose installed

Deployment Steps

Download the Compose file

Start the containers

On first start, a devguard-setup service runs automatically to:

  • generate a random AES-256 encryption key
  • download the Kratos identity config
  • download the database init script

All files are stored in Docker named volumes — no manual file setup required.

Access DevGuard

Open http://localhost:3000 in your browser.

Important Notes

Email verification: No SMTP server is configured by default. During registration, skip email verification by clicking "Back".

To enable email delivery, append COURIER_SMTP_CONNECTION_URI to the kratos service in the Compose file:

Vulnerability database: The API downloads the latest vulnerability database on first start. This may take several minutes. Vulnerability data and scan results won't be complete until the download finishes.

Hardening for Production

The docker-compose-try-it.yaml file contains inline [PRODUCTION] comments on every value that must change before going live. The key items are:

WhatWhereAction
DevGuard DB passwordpostgresql, devguard-api, devguard-migrateSet a strong random POSTGRES_PASSWORD
Kratos DB passwordkratos, kratos-migrate DSNSet a separate strong password for the kratos DB user
Kratos configkratos, kratos-migrate volumesReplace the auto-downloaded config with a bind-mounted, customised kratos.yml (configure SMTP, disable --dev, set OIDC providers)
Public URLsdevguard-api, devguard-webSet INSTANCE_DOMAIN, FRONTEND_URL, and ORY_SDK_PUBLIC_URL to your https:// domains
TLSdevguard-api, devguard-web portsPlace a TLS-terminating reverse proxy (nginx, Caddy, Traefik) in front — do not expose ports 8080/3000 directly
Log levelkratos, devguard-apiChange LOG_LEVEL from debug to info or warn

Next Steps

Have feedback? We want to hear from you!

Fields marked with * are required