Update Schedule
DevGuard maintains its own aggregated vulnerability database that is rebuilt every 6 hours from upstream sources, cryptographically signed, and distributed as an OCI artifact. DevGuard instances pull these incremental updates automatically.
Build Schedule
The vulnerability database is built by a GitHub Actions workflow that runs on a fixed schedule:
| Property | Value |
|---|---|
| Schedule | Every 6 hours (0 */6 * * *) |
| Trigger | Cron schedule + manual dispatch |
| Pipeline | vulndb.yaml |
| Artifact registry | ghcr.io/l3montree-dev/devguard/vulndb/v1 |
Data Sources Synced
Each build synchronizes the following upstream sources into a single PostgreSQL database:
| Source | Description |
|---|---|
| OSV | Open Source Vulnerabilities — covers npm, PyPI, Go, Maven, Cargo, NuGet, RubyGems, and many more ecosystems |
| EPSS | Exploit Prediction Scoring System — probability that a CVE will be exploited in the wild |
| CISA KEV | Known Exploited Vulnerabilities catalog |
| CWE | Common Weakness Enumeration taxonomy |
| ExploitDB | Public exploit database |
| GitHub PoC | Proof-of-concept exploits published on GitHub |
| Debian Security Tracker (DSA) | Debian-specific security advisories and affected package mappings |
| Malicious Packages | Known malicious packages across ecosystems |
Build Pipeline
The workflow executes the following steps in sequence:
- Import — Pull the latest published database state from the OCI registry using
devguard-cli vulndb import, restoring the previous build as a baseline. - Sync — Fetch fresh data from all upstream sources using
devguard-cli vulndb sync. This updates CVEs, affected components, exploit data, EPSS scores, CISA KEV status, CWE mappings, and malicious package entries. - Export — Compute the differential between the previous and current database states using
devguard-cli vulndb export. The result is a set of CSV files containing only inserts, updates, and deletes. - Package — Bundle the differential CSV files into a
vulndb.ziparchive. - Sign — Sign the archive using Cosign with a private key. The signature is stored as
vulndb.zip.sig. - Publish — Push both the archive and its signature to the GitHub Container Registry as OCI artifacts using ORAS. Each artifact is tagged with a Unix timestamp (e.g.,
1708185600).
Distribution Format
The database is distributed as OCI artifacts via the GitHub Container Registry:
ghcr.io/l3montree-dev/devguard/vulndb/v1:<timestamp> # differential update
ghcr.io/l3montree-dev/devguard/vulndb/v1:<timestamp>.sig # cosign signature
ghcr.io/l3montree-dev/devguard/vulndb/v1:<timestamp>-snapshot # full snapshot (periodic)
ghcr.io/l3montree-dev/devguard/vulndb/v1:<timestamp>-snapshot.sig
Each archive contains CSV files with the changes since the last build:
| File | Contents |
|---|---|
cves_insert.csv / cves_update.csv / cves_delete.csv | New, modified, or removed CVE entries |
affected_components_*.csv | Affected component mappings |
cve_affected_component_*.csv | CVE-to-component join records |
cwes_*.csv | CWE taxonomy updates |
exploits_*.csv | Exploit data changes |
malicious_packages_*.csv | Malicious package entries |
malicious_affected_components_*.csv | Malicious package component mappings |
cve_relationships_*.csv | CVE relationship updates |
How DevGuard Instances Consume Updates
DevGuard server instances automatically pull and apply database updates:
- On startup (and periodically thereafter), the server's VulnDB daemon calls
ImportFromDiff. - The daemon connects to
ghcr.io/l3montree-dev/devguard/vulndb/v1and lists all available tags. - It identifies tags newer than the last imported version (tracked in the
vulndb.lastIncrementalImportconfig key). - For each new tag, it downloads the OCI artifact, verifies the Cosign signature against the bundled
cosign.pubpublic key, unzips the archive, and applies the differential CSV files to the local database. - Snapshot tags are handled separately — if a snapshot is encountered, the full database state is loaded before applying subsequent differentials.
Signature Verification
Every database artifact is signed and verified before being applied:
- Signing: The build pipeline signs
vulndb.zipusing Cosign with an ECDSA private key. The signature is base64-encoded and published alongside the archive. - Verification: On import, the DevGuard instance loads the
cosign.pubpublic key, downloads the.sigartifact for the corresponding tag, and verifies the signature usingsigstore/sigstore. If verification fails, the update is rejected.
This ensures that only database artifacts built by the official pipeline are applied, protecting against supply chain attacks on the vulnerability data itself.