Skip to content

Commit 447499a

Browse files
committed
Merge remote-tracking branch 'origin/main' into feature/integrate-euvd
2 parents d46f0f9 + 5f2e22a commit 447499a

150 files changed

Lines changed: 3935 additions & 3528 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.env.example

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,10 @@ INSTANCE_DOMAIN=https://api.devguard.org #Choose which version of devguard you
1616

1717
FRONTEND_URL=http://localhost:3000
1818

19+
# Anonymous startup telemetry uses Umami and logs what it sends on startup.
20+
# Set DEVGUARD_TELEMETRY_DISABLED=true (or 1/yes/on) to disable it explicitly.
21+
DEVGUARD_TELEMETRY_DISABLED=false
22+
1923
PDF_GENERATION_API=https://dwt-api.dev-l3montree.cloud/pdf
2024
# comment to disable error tracking
2125
ERROR_TRACKING_DSN="https://<your-error-tracking-dsn>"

.github/workflows/devguard-scanner.yaml

Lines changed: 150 additions & 63 deletions
Original file line numberDiff line numberDiff line change
@@ -63,19 +63,20 @@ jobs:
6363
contents: read
6464
security-events: write
6565
with:
66-
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
67-
api-url: https://api.main.devguard.org
66+
devguard-asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
67+
devguard-api-url: https://api.main.devguard.org
6868
fail-on-risk: high
6969
fail-on-cvss: high
70-
web-ui: https://main.devguard.org
71-
continue-on-open-code-risk: true
70+
devguard-web-ui: https://main.devguard.org
71+
allow-failure: true
7272
secrets:
7373
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
7474

7575

7676
api-pipeline:
7777
if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
7878
uses: l3montree-dev/devguard-ci-components/.github/workflows/full-nix.yml@main
79+
needs: [tests]
7980
permissions:
8081
contents: read
8182
packages: write
@@ -85,9 +86,9 @@ jobs:
8586
nix-target-arm64: devguard-arm64
8687
nix-version: '2.34.4'
8788
image-name: ghcr.io/${{ github.repository }}
88-
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
89-
api-url: https://api.main.devguard.org
90-
web-ui: https://main.devguard.org
89+
devguard-asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
90+
devguard-api-url: https://api.main.devguard.org
91+
devguard-web-ui: https://main.devguard.org
9192
fail-on-cvss: high
9293
fail-on-risk: high
9394
nix-cache-substituter: https://nix.garage.l3montree.cloud
@@ -111,9 +112,9 @@ jobs:
111112
nix-version: '2.34.4'
112113
image-name: ghcr.io/${{ github.repository }}/scanner
113114
artifact-name-suffix: scanner
114-
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
115-
api-url: https://api.main.devguard.org
116-
web-ui: https://main.devguard.org
115+
devguard-asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
116+
devguard-api-url: https://api.main.devguard.org
117+
devguard-web-ui: https://main.devguard.org
117118
fail-on-cvss: high
118119
fail-on-risk: high
119120
nix-cache-substituter: https://nix.garage.l3montree.cloud
@@ -136,9 +137,9 @@ jobs:
136137
nix-version: '2.34.4'
137138
image-name: ghcr.io/${{ github.repository }}/postgresql
138139
artifact-name-suffix: postgresql
139-
asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
140-
api-url: https://api.main.devguard.org
141-
web-ui: https://main.devguard.org
140+
devguard-asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
141+
devguard-api-url: https://api.main.devguard.org
142+
devguard-web-ui: https://main.devguard.org
142143
fail-on-cvss: high
143144
fail-on-risk: high
144145
nix-cache-substituter: https://nix.garage.l3montree.cloud
@@ -176,10 +177,14 @@ jobs:
176177
id: tag
177178
run: |
178179
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
179-
echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
180+
TAG="${GITHUB_REF#refs/tags/}"
181+
echo "tag=${TAG}" >> $GITHUB_OUTPUT
180182
echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
183+
MINOR=$(echo "${TAG#v}" | cut -d. -f1-2)
184+
echo "minor=${MINOR}" >> $GITHUB_OUTPUT
181185
else
182186
echo "tag=test-$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
187+
echo "minor=0.0" >> $GITHUB_OUTPUT
183188
fi
184189
185190
- name: Build cross-platform binaries
@@ -195,6 +200,13 @@ jobs:
195200
GOOS=windows GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-windows-arm64.exe ./cmd/devguard-scanner
196201
GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-darwin-amd64 ./cmd/devguard-scanner
197202
GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner
203+
204+
GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-cli-linux-amd64 ./cmd/devguard-cli
205+
GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-cli-linux-arm64 ./cmd/devguard-cli
206+
GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-cli-windows-amd64.exe ./cmd/devguard-cli
207+
GOOS=windows GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-cli-windows-arm64.exe ./cmd/devguard-cli
208+
GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-cli-darwin-amd64 ./cmd/devguard-cli
209+
GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-cli-darwin-arm64 ./cmd/devguard-cli
198210
"
199211
env:
200212
STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}
@@ -208,14 +220,24 @@ jobs:
208220
tar -czf devguard-scanner-linux-arm64.tar.gz devguard-scanner-linux-arm64
209221
tar -czf devguard-scanner-darwin-amd64.tar.gz devguard-scanner-darwin-amd64
210222
tar -czf devguard-scanner-darwin-arm64.tar.gz devguard-scanner-darwin-arm64
223+
224+
tar -czf devguard-cli-linux-arm64.tar.gz devguard-cli-linux-arm64
225+
tar -czf devguard-cli-linux-amd64.tar.gz devguard-cli-linux-amd64
226+
tar -czf devguard-cli-darwin-amd64.tar.gz devguard-cli-darwin-amd64
227+
tar -czf devguard-cli-darwin-arm64.tar.gz devguard-cli-darwin-arm64
211228
212229
# Create zip archives for Windows
213230
zip devguard-scanner-windows-amd64.zip devguard-scanner-windows-amd64.exe
214231
zip devguard-scanner-windows-arm64.zip devguard-scanner-windows-arm64.exe
232+
233+
zip devguard-cli-windows-amd64.zip devguard-cli-windows-amd64.exe
234+
zip devguard-cli-windows-arm64.zip devguard-cli-windows-arm64.exe
215235
216236
# Remove individual binaries, keep archives
217237
rm -f devguard-scanner-linux-amd64 devguard-scanner-linux-arm64 devguard-scanner-darwin-amd64 devguard-scanner-darwin-arm64
238+
rm -f devguard-cli-linux-amd64 devguard-cli-linux-arm64 devguard-cli-darwin-amd64 devguard-cli-darwin-arm64
218239
rm -f devguard-scanner-windows-amd64.exe devguard-scanner-windows-arm64.exe
240+
rm -f devguard-cli-windows-amd64.exe devguard-cli-windows-arm64.exe
219241
220242
221243
- name: Generate checksums
@@ -243,70 +265,135 @@ jobs:
243265
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
244266
with:
245267
tag_name: ${{ steps.tag.outputs.tag }}
246-
name: "DevGuard Scanner ${{ steps.tag.outputs.tag }}"
268+
name: "DevGuard Release ${{ steps.tag.outputs.tag }}"
247269
draft: false
248-
prerelease: ${{ contains(steps.tag.outputs.tag, 'test-') }}
270+
prerelease: ${{ contains(steps.tag.outputs.tag, 'test-') || contains(steps.tag.outputs.tag, '-rc') || contains(steps.tag.outputs.tag, '-alpha') || contains(steps.tag.outputs.tag, '-beta') }}
249271
body: |
250-
## 🚀 DevGuard Release ${{ steps.tag.outputs.tag }}
251-
252-
**Secure software supply chain scanning and security analysis toolkit**
253-
254-
### Release Assets
255-
256-
#### **📱 Binaries**
257-
- `devguard-scanner-linux-amd64.tar.gz` - Linux x64 binary
258-
- `devguard-scanner-linux-arm64.tar.gz` - Linux ARM64 binary
259-
- `devguard-scanner-darwin-amd64.tar.gz` - macOS x64 binary
260-
- `devguard-scanner-darwin-arm64.tar.gz` - macOS ARM64 (Apple Silicon) binary
261-
- `devguard-scanner-windows-amd64.zip` - Windows x64 binary
262-
- `devguard-scanner-windows-arm64.zip` - Windows ARM64 binary
263-
264-
#### **🐳 Container Images**
265-
- **Registry**:
266-
- `ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}` (Main platform)
267-
- `ghcr.io/l3montree-dev/devguard-web:${{ steps.tag.outputs.tag }}` (Frontend of the platform)
268-
- `ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}` (Scanner tool)
269-
270-
#### Helm Charts
271-
272-
`oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard` (Main platform Helm chart)
272+
# 🚀 DevGuard Release ${{ steps.tag.outputs.tag }}
273273
274+
**Secure software supply chain scanning and security analysis platform**
275+
276+
---
277+
278+
# 🔍 DevGuard Scanner
279+
280+
The Scanner performs software supply chain analysis, SBOM generation, vulnerability detection, and security scanning. It communicates with a running devguard-api instance.
281+
282+
### 📱 Binaries
283+
284+
| Platform | Binary |
285+
|-----------|---------|
286+
| Linux x64 | `devguard-scanner-linux-amd64.tar.gz` |
287+
| Linux ARM64 | `devguard-scanner-linux-arm64.tar.gz` |
288+
| macOS x64 | `devguard-scanner-darwin-amd64.tar.gz` |
289+
| macOS ARM64 (Apple Silicon) | `devguard-scanner-darwin-arm64.tar.gz` |
290+
| Windows x64 | `devguard-scanner-windows-amd64.zip` |
291+
| Windows ARM64 | `devguard-scanner-windows-arm64.zip` |
292+
293+
**Download and Install**
274294
```bash
275-
helm install my-devguard oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard --version ${{ env.TAG_NO_V }}
276-
```
277-
278-
### Quick Start
279-
280-
#### **Download and Install**
281-
```bash
282-
# Linux/macOS - Download and extract
283295
curl -L https://github.com/l3montree-dev/devguard/releases/download/${{ steps.tag.outputs.tag }}/devguard-scanner-linux-amd64.tar.gz | tar -xz
296+
284297
chmod +x devguard-scanner-linux-amd64
285298
sudo mv devguard-scanner-linux-amd64 /usr/local/bin/devguard-scanner
286-
287-
# Verify installation
288-
devguard-scanner --version
299+
300+
#Verify
301+
devguard-scanner --help
289302
```
290-
291-
#### **Docker Usage**
303+
304+
### 🐳 Container Image
305+
292306
```bash
293-
# Pull DevGuard Scanner from registry
294307
docker pull ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}
295-
296-
# Pull DevGuard Platform from registry
297-
docker pull ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}
298308
```
299-
300-
#### **Go Install**
309+
310+
### Go Install
311+
301312
```bash
302313
go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@${{ steps.tag.outputs.tag }}
303314
```
304-
315+
316+
---
317+
318+
# 💻 DevGuard CLI
319+
320+
The CLI provides interaction capabilities with DevGuard. It is used in conjuction with a running devguard-api server. Some tasks like generating an instance admin key can be done using the devguard-cli binary.
321+
322+
### 📱 Binaries
323+
324+
| Platform | Binary |
325+
|-----------|---------|
326+
| Linux x64 | `devguard-cli-linux-amd64.tar.gz` |
327+
| Linux ARM64 | `devguard-cli-linux-arm64.tar.gz` |
328+
| macOS x64 | `devguard-cli-darwin-amd64.tar.gz` |
329+
| macOS ARM64 (Apple Silicon) | `devguard-cli-darwin-arm64.tar.gz` |
330+
| Windows x64 | `devguard-cli-windows-amd64.zip` |
331+
| Windows ARM64 | `devguard-cli-windows-arm64.zip` |
332+
333+
**Download and Install**
334+
```bash
335+
curl -L https://github.com/l3montree-dev/devguard/releases/download/${{ steps.tag.outputs.tag }}/devguard-cli-linux-amd64.tar.gz | tar -xz
336+
337+
chmod +x devguard-cli-linux-amd64
338+
sudo mv devguard-cli-linux-amd64 /usr/local/bin/devguard-cli
339+
340+
#Verify
341+
devguard-cli --help
342+
```
343+
305344
---
306-
307-
📖 **Documentation**: [DevGuard Documentation](https://github.com/l3montree-dev/devguard)
308-
🐛 **Report Issues**: [GitHub Issues](https://github.com/l3montree-dev/devguard/issues)
309-
💬 **Community**: [Discussions](https://github.com/l3montree-dev/devguard/discussions)
345+
346+
# 🛡️ DevGuard Platform
347+
348+
The DevGuard Platform provides centralized security visibility, findings management, and reporting.
349+
350+
### 🐳 Container Image
351+
352+
```bash
353+
docker pull ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}
354+
```
355+
356+
> The frontend image (`devguard-web`) is released separately — see [devguard-web releases](https://github.com/l3montree-dev/devguard-web/releases) for the matching `v${{ steps.tag.outputs.minor }}.*` release.
357+
358+
---
359+
360+
# ☸️ Kubernetes Deployment
361+
362+
Deploy DevGuard to Kubernetes using the official Helm chart.
363+
364+
### Helm Chart
365+
366+
```text
367+
oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard
368+
```
369+
370+
### Install
371+
372+
```bash
373+
helm install my-devguard \
374+
oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard \
375+
--version ${{ env.TAG_NO_V }}
376+
```
377+
378+
---
379+
380+
## Versioning
381+
382+
All DevGuard components (`devguard`, `devguard-web`, Helm chart) share the same **minor version**. Any `v${{ steps.tag.outputs.minor }}.*` release of one component is compatible with any `v${{ steps.tag.outputs.minor }}.*` release of another. Patch versions are released independently per component — you do not need to upgrade all components simultaneously as long as the minor version matches.
383+
384+
📖 See [VERSIONING.md](https://github.com/l3montree-dev/devguard/blob/main/VERSIONING.md) for the full policy.
385+
📋 See [CHANGELOG](https://github.com/l3montree-dev/devguard/blob/main/CHANGELOG.md) for what changed in this release.
386+
387+
---
388+
389+
## Resources
390+
391+
📖 Documentation: https://github.com/l3montree-dev/devguard
392+
393+
🐛 Report Issues: https://github.com/l3montree-dev/devguard/issues
394+
395+
💬 Community Discussions: https://github.com/l3montree-dev/devguard/discussions
396+
310397
files: |
311398
dist/*.tar.gz
312399
dist/*.zip

.gitlab-ci.yml

Lines changed: 36 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,18 @@
11
# SPDX-License-Identifier: AGPL-3.0
22
# GitLab CI for the devguard repository (mirrored from GitHub).
33

4+
workflow:
5+
rules:
6+
- if: $CI_COMMIT_BRANCH == "main"
7+
- if: $CI_COMMIT_TAG
8+
49
stages:
510
- .pre
611
- test
712
- build
813
- oci-image
914
- attestation
15+
- release
1016

1117

1218
.common: &common
@@ -22,29 +28,56 @@ stages:
2228

2329
include:
2430
# ── api-pipeline ──────────────────────────────────────────────────────────────
25-
- remote: https://gitlab.com/l3montree/devguard/-/raw/main/templates/build-nix-multiarch.yml
31+
- remote: https://raw.githubusercontent.com/l3montree-dev/devguard-ci-components/refs/heads/main/templates/build-nix-multiarch.yml
2632
inputs:
2733
<<: *common
2834
nix_target_amd64: "devguard-amd64"
2935
nix_target_arm64: "devguard-arm64"
3036
arm64_runner_tag: "arm"
37+
rules:
38+
- if: $CI_COMMIT_BRANCH == "main"
39+
- if: $CI_COMMIT_TAG
3140

3241
# ── scanner-pipeline ──────────────────────────────────────────────────────────
33-
- remote: https://gitlab.com/l3montree/devguard/-/raw/main/templates/build-nix-multiarch.yml
42+
- remote: https://raw.githubusercontent.com/l3montree-dev/devguard-ci-components/refs/heads/main/templates/build-nix-multiarch.yml
3443
inputs:
3544
<<: *common
3645
image_suffix: "scanner"
3746
nix_target_amd64: "devguard-scanner-amd64"
3847
nix_target_arm64: "devguard-scanner-arm64"
3948
arm64_runner_tag: "arm"
4049
job_suffix: ":scanner"
50+
rules:
51+
- if: $CI_COMMIT_BRANCH == "main"
52+
- if: $CI_COMMIT_TAG
4153

4254
# ── postgresql-pipeline ──────────────────────────────────────────────────────────
43-
- remote: https://gitlab.com/l3montree/devguard/-/raw/main/templates/build-nix-multiarch.yml
55+
- remote: https://raw.githubusercontent.com/l3montree-dev/devguard-ci-components/refs/heads/main/templates/build-nix-multiarch.yml
4456
inputs:
4557
<<: *common
4658
image_suffix: "postgresql"
4759
nix_target_amd64: "postgresql-amd64"
4860
nix_target_arm64: "postgresql-arm64"
4961
arm64_runner_tag: "arm"
5062
job_suffix: ":postgresql"
63+
rules:
64+
- if: $CI_COMMIT_BRANCH == "main"
65+
- if: $CI_COMMIT_TAG
66+
67+
create-gitlab-release:
68+
stage: release
69+
image: alpine:3.22.1@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
70+
before_script:
71+
- apk add --no-cache curl
72+
script:
73+
- |
74+
VERSION=${CI_COMMIT_TAG#v}
75+
MINOR=$(echo "$VERSION" | cut -d. -f1-2)
76+
DESCRIPTION="# DevGuard $CI_COMMIT_TAG\n\nSecure software supply chain scanning and security analysis platform.\n\n## Container Images\n\n\`\`\`bash\ndocker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG\ndocker pull $CI_REGISTRY_IMAGE/scanner:$CI_COMMIT_TAG\n\`\`\`\n\n## Versioning\n\nAll DevGuard components share the same **minor version**. Any \`v${MINOR}.*\` release of one component is compatible with any \`v${MINOR}.*\` release of another. Patch versions are released independently per component.\n\nSee [VERSIONING.md](https://github.com/l3montree-dev/devguard/blob/main/VERSIONING.md) for the full policy.\n\n📋 [CHANGELOG](https://github.com/l3montree-dev/devguard/blob/main/CHANGELOG.md) — what changed in this release.\n\n---\n\n🐛 Issues: https://github.com/l3montree-dev/devguard/issues\n💬 Community: https://github.com/l3montree-dev/devguard/discussions"
77+
curl --fail-with-body --request POST \
78+
--header "JOB-TOKEN: $CI_JOB_TOKEN" \
79+
--header "Content-Type: application/json" \
80+
--data "{\"name\":\"DevGuard $CI_COMMIT_TAG\",\"tag_name\":\"$CI_COMMIT_TAG\",\"ref\":\"$CI_COMMIT_SHA\",\"description\":\"$DESCRIPTION\"}" \
81+
"$CI_API_V4_URL/projects/$CI_PROJECT_ID/releases"
82+
rules:
83+
- if: $CI_COMMIT_TAG

0 commit comments

Comments
 (0)