You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/pages/explanations/core-concepts/what-is-devguard.mdx
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,21 +10,21 @@ DevGuard is an open-source vulnerability management platform built by developers
10
10
11
11
**Developer-Centric Security**: Security tools shouldn't disrupt development workflows. DevGuard fits naturally into existing CI/CD pipelines, providing vulnerability intelligence where developers already work.
12
12
13
-
**Transparency Over Obscurity**: Modern software development demands full visibility into dependencies and vulnerabilities. DevGuard provides complete transparency through automated <Tooltip><TooltipTriggerasChild><spanclassName="underline decoration-dotted decoration-yellow-400 decoration-1 underline-offset-4 cursor-pointer">SBOM</span></TooltipTrigger><TooltipContent><p>Software Bill of Materials - Comprehensive inventory of software components</p></TooltipContent></Tooltip> generation and dependency graphs.
13
+
**Transparency over Obscurity**: Modern software development demands full visibility into dependencies and vulnerabilities. DevGuard provides complete transparency through automated <Tooltip><TooltipTriggerasChild><spanclassName="underline decoration-dotted decoration-yellow-400 decoration-1 underline-offset-4 cursor-pointer">SBOM</span></TooltipTrigger><TooltipContent><p>Software Bill of Materials - Comprehensive inventory of software components</p></TooltipContent></Tooltip> generation and dependency graphs.
14
14
15
-
**Risk-Based Prioritization**: Not all vulnerabilities are equally critical. DevGuard enhances <Tooltip><TooltipTriggerasChild><spanclassName="underline decoration-dotted decoration-yellow-400 decoration-1 underline-offset-4 cursor-pointer">CVSS</span></TooltipTrigger><TooltipContent><p>Common Vulnerability Scoring System - Technical severity rating</p></TooltipContent></Tooltip> scores with exploitability data, organizational context, and attack surface analysis—ensuring the most important issues come first.
15
+
**Risk-Based Prioritization**: Not all vulnerabilities are equally impactful. DevGuard enhances existing <Tooltip><TooltipTriggerasChild><spanclassName="underline decoration-dotted decoration-yellow-400 decoration-1 underline-offset-4 cursor-pointer">CVSS</span></TooltipTrigger><TooltipContent><p>Common Vulnerability Scoring System - Technical severity rating</p></TooltipContent></Tooltip> scores with exploitability data, organizational context, and attack surface analysis—ensuring the most important vulnerabilities are handled first.
16
16
17
17
**Compliance Made Manageable**: Technical compliance with security frameworks (ISO 27001, CRA, BSI IT-Grundschutz) shouldn't be a burden. DevGuard automates compliance documentation, audit trails, and evidence generation.
18
18
19
19
<Callouttype="info"emoji="🎯">
20
-
DevGuard practices what it preaches—the platform scans and manages its own vulnerabilities, publicly sharing SBOM and <Tooltip><TooltipTriggerasChild><spanclassName="underline decoration-dotted decoration-yellow-400 decoration-1 underline-offset-4 cursor-pointer">VEX</span></TooltipTrigger><TooltipContent><p>Vulnerability Exploitability eXchange - Vulnerability impact assessments</p></TooltipContent></Tooltip> documents as examples of transparent security practices.
20
+
DevGuard practices what it preaches—the platform scans and manages its own vulnerabilities, publicly sharing SBOM and <Tooltip><TooltipTriggerasChild><spanclassName="underline decoration-dotted decoration-yellow-400 decoration-1 underline-offset-4 cursor-pointer">VEX</span></TooltipTrigger><TooltipContent><p>Vulnerability Exploitability eXchange - Vulnerability impact assessments</p></TooltipContent></Tooltip> documents as an example of transparent security practices.
21
21
</Callout>
22
22
23
23
## The Challenge
24
24
25
-
In 2023 alone, cyberattacks caused approximately €206 billion in damage in Germany, with many exploiting software vulnerabilities. Developers face security issues without proper training or tools fitting their workflows. Meanwhile, vulnerability scanners generate overwhelming findings—often 50-80% false positives—creating alert fatigue and obscuring genuine threats.
25
+
In 2023 alone, cyberattacks caused approximately €206 billion in damage in Germany alone, with many exploiting software vulnerabilities. Developers face security issues without proper training or tools fitting their workflows. Meanwhile, common vulnerability scanners generate overwhelming findings—often 50-80% false positives—creating alert fatigue and obscuring genuine threats.
26
26
27
-
Traditional security tools treat vulnerability management as separate from development, creating friction. Developers need security integrated into their existing workflows, not parallel processes demanding context switching.
27
+
Traditional security tools treat vulnerability management as separate from development, creating friction and unnecessary overhead. Developers need security integrated into their existing workflows, not as parallel processes demanding context switching.
28
28
29
29
## The Solution
30
30
@@ -36,40 +36,40 @@ DevGuard bridges this gap through:
**Bring Your Own Scanner**: Already using Trivy, Grype, Semgrep, or other tools? DevGuard ingests SBOM and SARIF format data for unified risk visibility across scanners.
39
+
**Bring Your Own Scanner**: Already using Trivy, Grype, Semgrep, or other tools? DevGuard ingests SBOM and SARIF reports for unified risk visibility across scanners.
40
40
41
-
**Issue Tracker Integration**: Automatically create tickets in GitHub Issues, GitLab Issues, or Jira for identified vulnerabilities. Bidirectional synchronization keeps security work visible in normal development workflows.
41
+
**Issue Tracker Integration**: Automatically create tickets in GitHub Issues, GitLab Issues, or Jira to track identified vulnerabilities. Bidirectional synchronization keeps security work visible in normal development workflows.
42
42
43
43
**Automated Compliance**: Generate audit trails, compliance reports, and documentation automatically. Map vulnerability handling to ISO 27001, CRA, and other framework requirements without manual documentation overhead.
44
44
45
45
## Open Source & Community
46
46
47
-
**AGPL-3.0 License**: Full transparency and no vendor lock-in. Self-host on-premise or use cloud deployments.
47
+
**AGPL-3.0 License**: Full transparency and no vendor lock-in. Self-host on-premise or use [existing cloud deployments](https://app.devguard.org/).
48
48
49
49
**OWASP Incubating Project**: Community-driven development following OWASP principles and standards.
50
50
51
-
**Made in Germany**: Developed by L3montree with focus on data sovereignty, privacy, and European compliance requirements.
51
+
**Made in Germany**: Developed by L3montree with a focus on data sovereignty, privacy, and European compliance requirements.
52
52
53
-
**Active Development**: Continuously evolving with community contributions. Public roadmap and transparent issue tracking on GitHub.
53
+
**Active Development**: Continuously evolving with community contributions, a public roadmap, and transparent issue tracking on GitHub.
54
54
55
55
<Callouttype="info"emoji="🌍">
56
-
DevGuard supports the OWASP DevSecOps pipeline with simplified CLI wrappers around widely-used opensource tools, enabling security at scale without reinventing ecosystems.
56
+
DevGuard supports the OWASP DevSecOps pipeline with simplified CLI wrappers around widelyused open-source tools, enabling security at scale without reinventing ecosystems.
57
57
</Callout>
58
58
59
59
## Key Differentiators
60
60
61
61
**Dynamic VEX**: VEX information shared via links rather than static files—what's risk-free today may be affected by CVEs tomorrow. Live VEX endpoints ensure assessments stay current.
62
62
63
-
**Attestation-Based Compliance**: Support for in-toto attestations and SLSA compliance monitoring, securing supply chain integrity.
63
+
**Attestation-based Compliance**: Support for in-toto attestations and SLSA compliance monitoring and securing supply chain integrity.
64
64
65
-
**Developer Experience**: Built by developers understanding actual workflows. Minimally invasive integration preserving development velocity while improving security posture.
65
+
**Developer Experience**: Built by developers who understand actual workflows. Minimally invasive integration preserving development velocity while improving security posture.
66
66
67
67
**Pragmatic Automation**: Automate what can be automated (scanning, SBOM generation, risk scoring) while preserving human judgment for strategic decisions (risk acceptance, mitigation approaches).
68
68
69
69
---
70
70
71
71
## Related Documentation
72
72
73
-
-[Vulnerability Lifecycle](/explanations/vulnerability-management/vulnerability-lifecycle) - Understanding vulnerability management process
73
+
-[Vulnerability Lifecycle](/explanations/vulnerability-management/vulnerability-lifecycle) - Understanding the vulnerability management process
74
74
-[Vulnerability Risk Assessment](/explanations/vulnerability-management/risk-assessment-methodology) - How DevGuard calculates risk scores
75
75
-[Why Compliance Matters](/explanations/compliance/why-compliance-matters) - Business case for integrated security
0 commit comments