Scan Dependencies
Run Software Composition Analysis (SCA) to scan your project dependencies for known vulnerabilities and generate a Software Bill of Materials (SBOM).
DevGuard matches discovered components against the OSV.dev vulnerability database, which covers a wide range of ecosystems including npm, PyPI, Go, Maven, Cargo, NuGet, RubyGems, and many more.
To learn more about how SCA fits into a DevSecOps pipeline, see Software Composition Analysis.
Prerequisites
Before you begin, ensure you have:
- Docker or the
devguard-scannerbinary installed - A personal access token from DevGuard (create one in user settings)
- A repository created in DevGuard
Installation
No installation needed — run the scanner directly via Docker:
docker run ghcr.io/l3montree-dev/devguard/scanner:main-latest devguard-scanner --help
Scan Project Dependencies
docker run -v "$(PWD):/dev/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \
devguard-scanner sca \
--path /dev/app/ \
--assetName="myorg/projects/myproject/assets/myrepo" \
--apiUrl="https://api.devguard.org" \
--token="YOUR_TOKEN"
Example Output
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| LIBRARY | VULNERABILITY | RISK | CVSS | INSTALLED | FIXED | STATUS |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:golang/github.com/cloudflare/golz4 | GO-2020-0022 | 0 | N/A | 0.0.0-20150217214814-ef862a3cdc58 | v0.0.0-20140711154735N/A99f5f787806 | open |
| | GHSA-4wp2-8rm2-jgmh | 1.50 | 9.8 | 0.0.0-20150217214814-ef862a3cdc58 | v0.0.0-20140711154735N/A99f5f787806 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:golang/github.com/sigstore/rekor | GO-2026-4354 | 0 | N/A | 1.3.10 | v1.5.0 | open |
| | GHSA-273p-m2cw-6833 | 0.49 | 5.3 | 1.3.10 | v1.5.0 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:golang/golang.org/x/crypto | GO-2025-4134 | 0 | N/A | 0.44.0 | v0.45.0 | open |
| | GHSA-f6x5-jh6r-wrfv | 2.45 | 5.3 | 0.44.0 | v0.45.0 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
| pkg:pypi/requests | GHSA-9hjg-9r4m-mvj7 | 0.81 | 5.3 | 2.32.3 | 2.32.4 | open |
+--------------------------------------------+---------------------+------+------+-----------------------------------+------------------------------------+--------+
The output shows each affected library with its vulnerabilities, the contextual Risk score, raw CVSS score, currently installed version, available fix version, and current status.
What the Scanner Does
- Generates SBOM: Creates a complete inventory of all software components and dependencies in your project. See Explaining SBOMs for details on the SBOM format.
- Uploads Data: Sends the SBOM to DevGuard, signed via HTTP Message Signing for integrity verification.
- Server-Side Matching: DevGuard matches all components against its vulnerability database using vulnerability matching and returns results.
Verify it worked: Navigate to your repository in DevGuard. You'll see detected vulnerabilities listed with severity scores, affected components, and fix recommendations. Learn more about vulnerability types and the vulnerability lifecycle.
Scan Without Authentication
You can run the scanner without a token or asset name to get vulnerability results without saving them to DevGuard. This is useful for a quick local scan or for trying out the scanner.
docker run -v "$(PWD):/dev/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \
devguard-scanner sca \
--path /dev/app/
When no --token and --assetName are provided, the scanner will print a warning and return the vulnerability results without persisting them:
Warning: You are scanning without saving the results. Provide --token and --assetName to save results to DevGuard.
CI/CD Integration
For automated dependency scanning in CI/CD pipelines, DevGuard provides ready-to-use integrations:
- GitHub Actions: See Scan with GitHub Actions for setup instructions
- GitLab CI: See Scan with GitLab CI for setup instructions
Advanced Options
Fail on Vulnerability Threshold
Configure the scanner to exit with a non-zero code based on the severity of detected vulnerabilities. This is useful for blocking CI/CD pipelines when critical issues are found.
--failOnRisk=critical
--failOnCVSS=critical
| Flag | Description | Options |
|---|---|---|
--failOnRisk | Fail based on DevGuard's contextual risk score. This factors in EPSS probability, known exploit availability, CISA KEV status, and depth in the dependency tree. | low, medium, high, critical |
--failOnCVSS | Fail based on the raw CVSS score of the vulnerability. | low, medium, high, critical |
Artifact Name
Specify an artifact name to track multiple artifacts per repository:
--artifactName="pkg:devguard/orgSlug/projectSlug/repoSlug"
Scan Origin
Set a custom origin to track where the scan was triggered from:
--origin="my-custom-origin" # Default is "DEFAULT"
Git Reference
Specify Git reference information to associate scans with branches or tags:
--ref="feature-branch" # Git reference (branch, tag, or commit). Default is "main"
--defaultRef="main" # Default Git reference to use. Default is "main"
--isTag=true # Indicates if the reference is a tag. Default is false
Next Steps
- Scan Docker Images — scan container images for vulnerabilities
- Scan Source Code — run SAST analysis on your codebase
- Triaging Vulnerabilities — learn how to triage and manage discovered findings
- Upload an Existing SBOM — import SBOMs generated by other tools