Add dependency proxy configs

.env.example

@@ -29,6 +29,7 @@ ALPINE_RELEASES_API=https://alpinelinux.org/releases.json
 
 
 CSAF_PASSPHRASE=example-passphrase
+DEPENDENCY_PROXY_BASE_URL=https://api.main.devguard.org/api/v1/dependency-proxy
 
 # OpenTelemetry tracing
 # Set to a value > 0 to enable tracing (e.g. 1.0 = 100%, 0.1 = 10%)

cmd/devguard-cli/commands/vulndb.go

@@ -88,6 +88,7 @@ func migrateDB() {
 			fx.Invoke(func(ShareRouter router.ShareRouter) {}),
 			fx.Invoke(func(VulnDBRouter router.VulnDBRouter) {}),
 			fx.Invoke(func(dependencyProxyRouter router.DependencyProxyRouter) {}),
+			fx.Invoke(func(shareDependencyProxyRouter router.ShareDependencyProxyRouter) {}),
 			fx.Invoke(func(lc fx.Lifecycle, server api.Server) {
 				lc.Append(fx.Hook{
 					OnStart: func(ctx context.Context) error {

cmd/devguard/main.go

@@ -139,6 +139,7 @@ func main() {
 		fx.Invoke(func(ShareRouter router.ShareRouter) {}),
 		fx.Invoke(func(VulnDBRouter router.VulnDBRouter) {}),
 		fx.Invoke(func(dependencyProxyRouter router.DependencyProxyRouter) {}),
+		fx.Invoke(func(shareDependencyProxyRouter router.ShareDependencyProxyRouter) {}),
 		fx.Invoke(func(FalsePositiveRuleRouter router.VEXRuleRouter) {}),
 		fx.Invoke(func(ExternalReferenceRouter router.ExternalReferenceRouter) {}),
 		fx.Invoke(func(lc fx.Lifecycle, server api.Server) {

controllers/providers.go

@@ -29,8 +29,8 @@ import (
 
 var controllersTracer = otel.Tracer("devguard/controllers")
 
-// ProvideDependencyProxyConfig creates the configuration for the dependency proxy
-func ProvideDependencyProxyConfig() DependencyProxyConfig {
+// ProvideDependencyProxyCache creates the configuration for the dependency proxy
+func ProvideDependencyProxyCache() DependencyProxyCache {
 	var cacheDir string
 	dependencyProxyCacheDir := os.Getenv("DEPENDENCY_PROXY_CACHE_DIR")
 	if dependencyProxyCacheDir != "" {
@@ -47,7 +47,7 @@ func ProvideDependencyProxyConfig() DependencyProxyConfig {
 		slog.Error("Failed to create cache directory", "error", err)
 	}
 
-	return DependencyProxyConfig{
+	return DependencyProxyCache{
 		CacheDir: cacheDir,
 	}
 }
@@ -108,7 +108,7 @@ var ControllerModule = fx.Options(
 	fx.Provide(NewScanController),
 
 	// Dependency Proxy
-	fx.Provide(ProvideDependencyProxyConfig),
+	fx.Provide(ProvideDependencyProxyCache),
 	fx.Provide(fx.Annotate(ProvideMaliciousPackageChecker, fx.As(new(shared.MaliciousPackageChecker)))),
 	fx.Provide(NewDependencyProxyController),
 )

controllers/vulndb_controller.go

@@ -149,7 +149,10 @@ func (c VulnDBController) PURLInspect(ctx shared.Context) error {
 		return echo.NewHTTPError(500, "failed to retrieve vulnerabilities for PURL").WithInternal(err)
 	}
 
-	_, maliciousPackage := c.maliciousPackageChecker.IsMalicious(ctx.Request().Context(), purl.Type, fmt.Sprintf("%s/%s", purl.Namespace, purl.Name), purl.Version)
+	_, maliciousPackage, err := c.maliciousPackageChecker.IsMalicious(ctx.Request().Context(), purl.Type, fmt.Sprintf("%s/%s", purl.Namespace, purl.Name), purl.Version)
+	if err != nil {
+		return echo.NewHTTPError(400, "failed to check if package is malicious").WithInternal(err)
+	}
 
 	var componentDTO *dtos.ComponentDTO
 	comp := models.Component{ID: purlString}

database/migrations/20260410163018_add_dependency_proxy_secret.down.sql

@@ -0,0 +1,16 @@
+-- Copyright (C) 2026 l3montree GmbH
+-- 
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU Affero General Public License as
+-- published by the Free Software Foundation, either version 3 of the
+-- License, or (at your option) any later version.
+-- 
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU Affero General Public License for more details.
+-- 
+-- You should have received a copy of the GNU Affero General Public License
+-- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+DROP TABLE IF EXISTS public.dependency_proxy_secrets;

database/migrations/20260410163018_add_dependency_proxy_secret.up.sql

@@ -0,0 +1,33 @@
+-- Copyright (C) 2026 l3montree GmbH
+-- 
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU Affero General Public License as
+-- published by the Free Software Foundation, either version 3 of the
+-- License, or (at your option) any later version.
+-- 
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU Affero General Public License for more details.
+-- 
+-- You should have received a copy of the GNU Affero General Public License
+-- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+CREATE TABLE IF NOT EXISTS public.dependency_proxy_secrets (
+    secret uuid DEFAULT gen_random_uuid() PRIMARY KEY,
+    asset_id uuid,
+    project_id uuid,
+    org_id uuid,
+    CONSTRAINT dependency_proxy_secrets_exactly_one_scope CHECK (
+        ((asset_id IS NOT NULL)::int + (project_id IS NOT NULL)::int + (org_id IS NOT NULL)::int) = 1
+    )
+);
+CREATE UNIQUE INDEX IF NOT EXISTS dependency_proxy_secrets_unique_asset_id
+    ON public.dependency_proxy_secrets (asset_id)
+    WHERE asset_id IS NOT NULL;
+CREATE UNIQUE INDEX IF NOT EXISTS dependency_proxy_secrets_unique_project_id
+    ON public.dependency_proxy_secrets (project_id)
+    WHERE project_id IS NOT NULL;
+CREATE UNIQUE INDEX IF NOT EXISTS dependency_proxy_secrets_unique_org_id
+    ON public.dependency_proxy_secrets (org_id)
+    WHERE org_id IS NOT NULL;

database/models/dependency_proxy_secret_model.go

@@ -0,0 +1,31 @@
+// Copyright (C) 2026 l3montree GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package models
+
+import (
+	"github.com/google/uuid"
+)
+
+type DependencyProxySecret struct {
+	Secret    uuid.UUID  `gorm:"type:uuid;primaryKey; default:gen_random_uuid()"`
+	AssetID   *uuid.UUID `gorm:"type:uuid;"`
+	ProjectID *uuid.UUID `gorm:"type:uuid;"`
+	OrgID     *uuid.UUID `gorm:"type:uuid;"`
+}
+
+func (DependencyProxySecret) TableName() string {
+	return "dependency_proxy_secrets"
+}

database/repositories/dependency_proxy_secret_repository.go

@@ -0,0 +1,123 @@
+// Copyright (C) 2026 l3montree GmbH
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as
+// published by the Free Software Foundation, either version 3 of the
+// License, or (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+package repositories
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/l3montree-dev/devguard/database/models"
+	"github.com/l3montree-dev/devguard/utils"
+	"gorm.io/gorm"
+)
+
+type dependencyProxySecretRepository struct {
+	db *gorm.DB
+	utils.Repository[uuid.UUID, models.DependencyProxySecret, *gorm.DB]
+}
+
+func NewDependencyProxyRepository(db *gorm.DB) *dependencyProxySecretRepository {
+	return &dependencyProxySecretRepository{db: db, Repository: newGormRepository[uuid.UUID, models.DependencyProxySecret](db)}
+}
+
+func (r *dependencyProxySecretRepository) GetOrCreateByOrgID(ctx context.Context, tx *gorm.DB, orgID uuid.UUID) (models.DependencyProxySecret, error) {
+	var proxy models.DependencyProxySecret
+	err := r.db.WithContext(ctx).Where("org_id = ?", orgID).First(&proxy).Error
+	//check if not exists, then create a new one
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			newProxy := models.DependencyProxySecret{
+				OrgID: &orgID,
+			}
+
+			err = r.Create(ctx, r.db, &newProxy)
+			return newProxy, err
+		}
+		return proxy, err
+	}
+	return proxy, err
+}
+
+func (r *dependencyProxySecretRepository) GetOrCreateByProjectID(ctx context.Context, tx *gorm.DB, projectID uuid.UUID) (models.DependencyProxySecret, error) {
+	var proxy models.DependencyProxySecret
+	err := r.db.WithContext(ctx).Where("project_id = ?", projectID).First(&proxy).Error
+	//check if not exists, then create a new one
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			newProxy := models.DependencyProxySecret{
+				ProjectID: &projectID,
+			}
+			err = r.Create(ctx, r.db, &newProxy)
+			return newProxy, err
+		}
+		return proxy, err
+	}
+	return proxy, err
+}
+
+func (r *dependencyProxySecretRepository) GetOrCreateByAssetID(ctx context.Context, tx *gorm.DB, assetID uuid.UUID) (models.DependencyProxySecret, error) {
+	var proxy models.DependencyProxySecret
+	err := r.db.WithContext(ctx).Where("asset_id = ?", assetID).First(&proxy).Error
+	//check if not exists, then create a new one
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			newProxy := models.DependencyProxySecret{
+				AssetID: &assetID,
+			}
+			err = r.Create(ctx, r.db, &newProxy)
+			return newProxy, err
+		}
+		return proxy, err
+	}
+	return proxy, err
+}
+
+func (r *dependencyProxySecretRepository) UpdateSecret(ctx context.Context, tx *gorm.DB, proxy models.DependencyProxySecret) (models.DependencyProxySecret, error) {
+	exec := func(db *gorm.DB) error {
+		newSecret := uuid.New()
+		if err := db.Delete(&models.DependencyProxySecret{}, "secret = ?", proxy.Secret).Error; err != nil {
+			return err
+		}
+		proxy.Secret = newSecret
+		if err := db.Create(&proxy).Error; err != nil {
+			return err
+		}
+		return nil
+	}
+	var err error
+	if tx != nil {
+		err = exec(tx.WithContext(ctx))
+	} else {
+		err = r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+			return exec(tx)
+		})
+	}
+	if err != nil {
+		return proxy, err
+	}
+
+	return proxy, nil
+}
+
+func (r *dependencyProxySecretRepository) GetBySecret(ctx context.Context, tx *gorm.DB, secret uuid.UUID) (models.DependencyProxySecret, error) {
+
+	var proxy models.DependencyProxySecret
+
+	if err := r.db.WithContext(ctx).Where("secret = ?", secret).First(&proxy).Error; err != nil {
+		return proxy, err
+	}
+
+	return proxy, nil
+}

database/repositories/providers.go

@@ -57,4 +57,5 @@ var Module = fx.Options(
 	fx.Provide(fx.Annotate(NewVEXRuleRepository, fx.As(new(shared.VEXRuleRepository)))),
 	fx.Provide(fx.Annotate(NewExternalReferenceRepository, fx.As(new(shared.ExternalReferenceRepository)))),
 	fx.Provide(fx.Annotate(NewTrustedEntityRepository, fx.As(new(shared.TrustedEntityRepository)))),
+	fx.Provide(fx.Annotate(NewDependencyProxyRepository, fx.As(new(shared.DependencyProxySecretRepository)))),
 )