### Download and Start DevGuard Instance with Docker Compose Source: https://docs.devguard.org/getting-started This command downloads the necessary configuration files for DevGuard and starts the services using Docker Compose. It fetches configuration from GitHub and sets up the environment for local use. Ensure Docker is installed and running before executing. ```bash curl -LO https://raw.githubusercontent.com/l3montree-dev/devguard/refs/heads/main/docker-compose-try-it.yaml \ && curl -LO https://raw.githubusercontent.com/l3montree-dev/devguard/refs/heads/main/initdb.sql \ && curl -LO https://raw.githubusercontent.com/l3montree-dev/devguard/refs/heads/main/.kratos/identity.schema.json \ && curl -L -o kratos.yml https://raw.githubusercontent.com/l3montree-dev/devguard/refs/heads/main/.kratos/kratos.example.yml \ && mkdir -p kratos \ && mv kratos.yml kratos/kratoss.yml \ && mv identity.schema.json kratos/identity.schema.json \ && docker-compose -f docker-compose-try-it.yaml up ``` -------------------------------- ### Start DevGuard Backend Application (Make) Source: https://docs.devguard.org/contributing/getting-started Builds and starts the DevGuard backend application. This command relies on Docker Compose services being already up and running. ```make make ``` -------------------------------- ### Start DevGuard Frontend Development Server (NPM) Source: https://docs.devguard.org/contributing/getting-started Starts the development server for the DevGuard frontend application. This command enables hot-reloading and other development features. ```npm npm run dev ``` -------------------------------- ### Install DevGuard CLI using Go and Docker Source: https://docs.devguard.org/getting-started/installation Provides installation instructions for the DevGuard CLI tool using both Go (requires Go 1.21+) and Docker. The Docker method involves pulling the image and creating a convenient alias. ```go # Install latest version go install github.com/l3montree-dev/devguard/cmd/devguard-cli@latest # Verify devguard-cli --version ``` ```bash # Pull image docker pull ghcr.io/l3montree-dev/devguard-cli:latest # Create alias alias devguard-cli='docker run --rm -v $(pwd):/work ghcr.io/l3montree-dev/devguard-cli:latest' ``` -------------------------------- ### Install DevGuard CLI via Binary Release Source: https://docs.devguard.org/getting-started/installation Installs the DevGuard CLI by downloading pre-built binaries from GitHub Releases. Users should download the appropriate binary, extract it, and ensure it's accessible via their system's PATH. ```bash Download pre-built binaries from GitHub Releases and extract to your PATH. ``` -------------------------------- ### Install DevGuard Scanner using Go Source: https://docs.devguard.org/getting-started/installation Installs the DevGuard Scanner CLI tool using Go. Requires Go 1.21+ and ensures the Go bin directory is in your PATH. ```go # Install latest version go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@latest # Install specific version go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@v1.0.0 # Ensure Go bin is in PATH export PATH="$PATH:$(go env GOPATH)/bin" ``` ```bash devguard-scanner --version ``` -------------------------------- ### Clone DevGuard Backend Repository and Setup Submodules (Bash) Source: https://docs.devguard.org/contributing/getting-started Clones the DevGuard backend repository from GitHub and initializes its Git submodules. This is the first step in setting up the backend locally. ```bash git clone git@github.com:l3montree-dev/devguard.git && cd devguard # setup git submodules git submodule update --init --recursive ``` -------------------------------- ### Configure DevGuard Frontend Environment Variables (Shell) Source: https://docs.devguard.org/contributing/getting-started Copies the example environment file to `.env` for the DevGuard frontend. Users are expected to modify the `.env` file with their specific configurations. ```shell cp .env.example .env ``` -------------------------------- ### Build and Install DevGuard Scanner from Source Source: https://docs.devguard.org/getting-started/installation Builds the DevGuard Scanner from source code using Go 1.21+. This involves cloning the repository, running `make`, and then copying the binary to a system path or adding it to your PATH. ```bash # Clone repository git clone https://github.com/l3montree-dev/devguard cd devguard # Build scanner make devguard-scanner # Install to system sudo cp devguard-scanner /usr/local/bin/ # Or add to PATH export PATH="$PATH:$(pwd)" ``` ```bash devguard-scanner --version ``` ```go go run ./cmd/devguard-scanner/main.go --help ``` -------------------------------- ### Install DevGuard Frontend NPM Packages (NPM) Source: https://docs.devguard.org/contributing/getting-started Installs all the necessary Node.js dependencies for the DevGuard frontend project using npm. This command should be run after cloning the repository and setting up environment variables. ```npm npm install ``` -------------------------------- ### Install DevGuard Scanner via Binary Release Source: https://docs.devguard.org/getting-started/installation Installs the DevGuard Scanner by downloading pre-built binaries from GitHub Releases for Linux and macOS. Requires `curl` and `tar`. For Windows, manual download and PATH configuration is needed. ```bash # Linux (x86_64): curl -L https://github.com/l3montree-dev/devguard/releases/latest/download/devguard-scanner_Linux_x86_64.tar.gz | tar xz sudo mv devguard-scanner /usr/local/bin/ ``` ```bash # macOS (Intel): curl -L https://github.com/l3montree-dev/devguard/releases/latest/download/devguard-scanner_Darwin_x86_64.tar.gz | tar xz sudo mv devguard-scanner /usr/local/bin/ ``` ```bash # macOS (Apple Silicon): curl -L https://github.com/l3montree-dev/devguard/releases/latest/download/devguard-scanner_Darwin_arm64.tar.gz | tar xz sudo mv devguard-scanner /usr/local/bin/ ``` ```bash # Windows: # Download from https://github.com/l3montree-dev/devguard/releases # Extract devguard-scanner.exe # Move to C:\Program Files\DevGuard\ # Add to PATH ``` ```bash devguard-scanner --version ``` -------------------------------- ### Configure DevGuard Backend Environment Variables (Shell) Source: https://docs.devguard.org/contributing/getting-started Copies example environment configuration files to their active versions for the DevGuard backend. Users should adjust the values in the `.env` and `kratos.yml` files as needed. ```shell cp .env.example .env cp .kratos/kratos.example.yml .kratos/kratos.yml ``` -------------------------------- ### Start DevGuard Backend Services with Docker Compose (Bash) Source: https://docs.devguard.org/contributing/getting-started Starts the necessary backend services for DevGuard using Docker Compose in detached mode. This command should be run in a separate terminal and kept running. ```bash docker compose up -d ``` -------------------------------- ### Clone DevGuard Frontend Repository (Bash) Source: https://docs.devguard.org/contributing/getting-started Clones the DevGuard frontend (DevGuard Web) repository from GitHub. This is the initial step for setting up the frontend locally. ```bash git clone https://github.com/l3montree-dev/devguard-web.git && cd devguard-web ``` -------------------------------- ### Run DevGuard Scanner CLI Source: https://docs.devguard.org/getting-started Executes the DevGuard scanner using Docker to perform a Software Composition Analysis (SCA) scan. It mounts the current directory, specifies the asset name, API URL, token, and web UI. ```bash docker run -v "$(PWD):/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \ devguard-scanner sca \ --path=/app \ --assetName="myorg/projects/newgroup/assets/newrepository" \ --apiUrl="https://api.main.devguard.org" \ --token="0135..." \ --webUI="https://main.devguard.org" ``` -------------------------------- ### GitLab CI/CD Pipeline Configuration Example Source: https://docs.devguard.org/how-to-guides/integrations/gitlab/setup-gitlab-integration An example of a .gitlab-ci.yml file structure for integrating DevGuard components into a GitLab CI/CD pipeline. This file should be placed in the root directory of your repository. ```yaml stages: - build - test - deploy build_app: stage: build script: - echo "Building the application..." test_app: stage: test script: - echo "Running tests..." # Add DevGuard security scanning commands here deploy_app: stage: deploy script: - echo "Deploying the application..." ``` -------------------------------- ### Pull DevGuard Scanner Docker Image Source: https://docs.devguard.org/getting-started Pulls the latest DevGuard scanner Docker image from the container registry. This is the first step to using the CLI scanner. ```bash docker pull ghcr.io/l3montree-dev/devguard/devguard-scanner:latest ``` -------------------------------- ### Start DevGuard Docker Containers Source: https://docs.devguard.org/how-to-guides/administration/deploy-with-docker Starts the DevGuard application and its associated services (e.g., database, Kratos) using Docker Compose. This command assumes the `docker-compose-try-it.yaml` file has been downloaded and is in the current directory. ```bash docker-compose -f docker-compose-try-it.yaml up ``` -------------------------------- ### Install Sigstore Policy Controller with Helm Source: https://docs.devguard.org/explanations/compliance/compliance-as-code These commands install the Sigstore Policy Controller in a Kubernetes cluster using Helm. It adds the Sigstore Helm repository, updates it, creates a dedicated namespace, and then installs the policy controller. ```bash helm repo add sigstore https://sigstore.github.io/helm-charts helm repo update kubectl create namespace cosign-system helm install policy-controller -n cosign-system sigstore/policy-controller --devel ``` -------------------------------- ### intoto setup Source: https://docs.devguard.org/reference/scanner/setup Sets up in-toto for the DevGuard Scanner. This command configures the necessary components for generating and managing in-toto attestations. ```APIDOC ## devguard-scanner intoto setup ### Description Sets up in-toto for the DevGuard Scanner. This command configures the necessary components for generating and managing in-toto attestations. ### Method CLI COMMAND ### Endpoint N/A (CLI Command) ### Parameters #### CLI Flags - **-h, --help** (boolean) - Optional - help for setup - **--apiUrl** (string) - Optional - The devguard api url - **--assetName** (string) - Optional - The asset name to use - **--generateSlsaProvenance** (boolean) - Optional - Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. - **--ignore** (stringArray) - Optional - The ignore patterns for the in-toto link (default [.git/**/*]) - **-l, --logLevel** (string) - Optional - Set the log level. Options: debug, info, warn, error (default "info") - **--materials** (stringArray) - Optional - The materials to include in the in-toto link. Default is the current directory (default [.]) - **--products** (stringArray) - Optional - The products to include in the in-toto link. Default is the current directory (default [.]) - **--step** (string) - Optional - The name of the in-toto link - **--supplyChainId** (string) - Optional - The supply chain id to use. If empty, tries to extract the current commit hash. - **--token** (string) - Optional - The token to use for in-toto ### Request Example ```bash devguard-scanner intoto setup --apiUrl "https://api.devguard.io" --assetName "my-app" --generateSlsaProvenance --step "build" --logLevel "debug" ``` ### Response #### Success Response (CLI Output) Output will vary based on the execution and configuration. Typically includes confirmation messages or errors. #### Response Example ``` In-toto setup complete. Provenance file generated: build.provenance.json ``` ``` -------------------------------- ### Install and Use DevGuard Scanner with Docker Source: https://docs.devguard.org/getting-started/installation Installs and runs the DevGuard Scanner using Docker. This method pulls the latest image and can be aliased for convenience. It mounts the current directory for scan operations. ```bash # Pull latest image docker pull ghcr.io/l3montree-dev/devguard-scanner:latest # Run scanner (mount current directory) docker run --rm \ -v $(pwd):/app \ ghcr.io/l3montree-dev/devguard-scanner:latest \ sca ``` ```bash # Add to ~/.bashrc or ~/.zshrc alias devguard-scanner='docker run --rm -v $(pwd):/app ghcr.io/l3montree-dev/devguard-scanner:latest' # Now use like normal CLI devguard-scanner sca ``` ```yaml services: scanner: image: ghcr.io/l3montree-dev/devguard-scanner:latest volumes: - ./:/app working_dir: /app command: sca ``` -------------------------------- ### Configure Environment Variables for PyPI Proxy Source: https://docs.devguard.org/how-to-guides/security/dependency-proxy/setup-pypi-proxy This example demonstrates how to configure pip to use the DevGuard Dependency Proxy via environment variables. It sets the PIP_INDEX_URL and PIP_TRUSTED_HOST variables, which pip will automatically use for package installations. This method is useful for CI/CD pipelines or when direct file modification is not desired. ```bash export PIP_INDEX_URL="http://localhost:8080/api/v1/dependency-proxy/pypi/simple" export PIP_TRUSTED_HOST="localhost" pip install requests ``` -------------------------------- ### Define Container Resource Limits using Labels Source: https://docs.devguard.org/tutorials/container-hardening/container-hardening-checklist This snippet demonstrates how to define expected CPU, memory, and storage requirements for a container using OCI image labels. These labels inform deployment configurations and ensure proper resource allocation, preventing denial-of-service attacks and keeping the container within operational parameters. ```dockerfile LABEL org.opencontainers.image.title="myapp" LABEL org.opencontainers.image.description="Web API for X" LABEL org.opencontainers.image.resource.cpu="500m" LABEL org.opencontainers.image.resource.memory="256Mi" LABEL org.opencontainers.image.resource.ephemeral-storage="1Gi" ``` -------------------------------- ### Install Packages with NPM Proxy Source: https://docs.devguard.org/how-to-guides/security/dependency-proxy/setup-npm-proxy After configuring the .npmrc file, you can install packages as usual using npm. The DevGuard proxy will handle the requests. ```bash npm install lodash ``` -------------------------------- ### DevGuard Helm Chart Configuration Example Source: https://docs.devguard.org/how-to-guides/administration/deploy-with-helm A sample `values.yaml` file demonstrating configuration for DevGuard's API and web ingress, authentication methods (password and passkey), and mail settings for account verification. This file is used with the Helm install/upgrade commands. ```yaml api: ingress: enabled: true hosts: - host: api.devguard.example.com paths: - path: / pathType: Prefix web: ingress: enabled: true hosts: - host: devguard.example.com paths: - path: / pathType: Prefix # Authentication settings password: enabled: true passkey: enabled: true # Mail configuration (required for account verification) mail: existingSMTPConnectionUriSecret: "smtp-secret" fromAddress: "noreply@example.com" fromName: "DevGuard" ``` -------------------------------- ### GET /api/v1/dependency-proxy/npm/* Source: https://docs.devguard.org/how-to-guides/security/dependency-proxy/setup-npm-proxy This endpoint represents the NPM dependency proxy. It handles requests for NPM packages, caching them and blocking malicious ones. ```APIDOC ## GET /api/v1/dependency-proxy/npm/* ### Description This endpoint serves as the NPM dependency proxy. It intercepts requests for NPM packages, retrieves them from upstream registries, caches them, and applies security checks to block malicious packages. ### Method GET ### Endpoint `/api/v1/dependency-proxy/npm/*` ### Parameters #### Path Parameters * **`*`** (string) - Required - The package name and version requested. #### Query Parameters N/A #### Request Body N/A ### Request Example ``` GET /api/v1/dependency-proxy/npm/lodash ``` ### Response #### Success Response (200 OK) - **`X-Cache`** (string) - Indicates if the response was served from cache (`HIT` or `MISS`). - **`X-Proxy-Type`** (string) - Identifies the proxy type (`npm`). - **`body`** (binary) - The requested NPM package tarball. #### Error Response (403 Forbidden) - **`X-Malicious-Package`** (string) - Present when a package is blocked (`blocked`). #### Error Response (503 Service Unavailable) - Indicates the database has not yet loaded. #### Error Response (502 Bad Gateway) - Indicates an error with the upstream registry. #### Response Example **Success (200 OK):** ``` X-Cache: MISS X-Proxy-Type: npm Content-Type: application/octet-stream [...npm package tarball data...] ``` **Blocked (403 Forbidden):** ``` X-Cache: MISS X-Proxy-Type: npm X-Malicious-Package: blocked Package blocked due to malicious content. ``` ``` -------------------------------- ### DevGuard Scanner CLI: Curl Command Examples Source: https://docs.devguard.org/reference/scanner/curl These examples illustrate common use cases for the `devguard-scanner curl` command, including simple GET requests, POST requests with JSON data, verbose requests with custom headers, and requests using an explicit PAT token for authentication. ```bash # Simple GET request devguard-scanner curl https://api.example.com/users ``` ```bash # POST request with JSON data devguard-scanner curl -X POST -d '{"name":"test"}' -H "Content-Type: application/json" https://api.example.com/users ``` ```bash # Verbose request with custom headers devguard-scanner curl -v -H "Accept: application/json" https://api.example.com/data ``` ```bash # Request with explicit token devguard-scanner curl --token -X GET https://api.example.com/protected ``` -------------------------------- ### Go Modules Proxy Endpoint Source: https://docs.devguard.org/how-to-guides/security/dependency-proxy/setup-go-proxy This endpoint serves Go modules through the DevGuard Dependency Proxy. It supports GET requests for module paths. ```APIDOC ## GET /api/v1/dependency-proxy/go/* ### Description Serves Go modules through the DevGuard Dependency Proxy. ### Method GET ### Endpoint /api/v1/dependency-proxy/go/* ### Query Parameters None ### Request Body None ### Response #### Success Response (200 OK) - **X-Cache** (string) - Indicates if the response was served from cache (HIT or MISS). - **X-Proxy-Type** (string) - Identifies the proxy type as 'go'. #### Error Response (403 Forbidden) - **X-Malicious-Package** (string) - Present when a malicious package is blocked, value is 'blocked'. #### Error Response (503 Service Unavailable) - Indicates the database is not yet loaded. #### Error Response (502 Bad Gateway) - Indicates an upstream registry error. ### Response Example (Success) ```json { "module_data": "..." } ``` ### Response Example (Blocked) ```json { "error": "Malicious package detected" } ``` ``` -------------------------------- ### Search Examples for Vulnerabilities Source: https://docs.devguard.org/how-to-guides/dependency-management/find-vulnerable-deps Illustrates various search queries for identifying vulnerabilities within the DevGuard interface. These examples show how to search by CVE ID prefix, component name, and descriptive keywords, demonstrating the flexibility and case-insensitivity of the search functionality. ```text Search Examples: - "CVE-2024" → Finds all CVEs from 2024 - "spring" → Finds all Spring framework vulnerabilities - "remote code" → Finds all RCE vulnerabilities ``` -------------------------------- ### Backup PostgreSQL Database with pg_dump Source: https://docs.devguard.org/how-to-guides/administration/backup-restore This command uses `pg_dump` to create a SQL dump of the 'devguard' PostgreSQL database. The output file includes the data source name and a timestamp. Ensure `pg_dump` is installed and accessible in your environment. ```bash pg_dump --dbname=devguard --file="/{data_source}-{timestamp}-dump.sql" ``` -------------------------------- ### DevGuard Scanner CLI Help Command Options Source: https://docs.devguard.org/reference/scanner/help Lists the available options for the 'intoto help' command in the DevGuard Scanner CLI. Includes a help flag and inherited options for API URL, asset name, SLSA provenance generation, ignore patterns, log level, materials, products, step name, supply chain ID, and token. ```bash -h, --help help for help --apiUrl string The devguard api url --assetName string The asset name to use --generateSlsaProvenance Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. --ignore stringArray The ignore patterns for the in-toto link (default [.git/**/*]) -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") --materials stringArray The materials to include in the in--toto link. Default is the current directory (default [.]) --products stringArray The products to include in the in-toto link. Default is the current directory (default [.]) --step string The name of the in-toto link --supplyChainId string The supply chain id to use. If empty, tries to extract the current commit hash. --token string The token to use for in-toto ``` -------------------------------- ### Test Malicious Package Blocking with NPM Source: https://docs.devguard.org/how-to-guides/security/dependency-proxy/setup-npm-proxy Define dependencies in your package.json, including a known malicious package like `fake-malicious-npm-package`. When `npm install` is run, the DevGuard proxy will block the malicious package while allowing legitimate ones. ```json { "dependencies": { "lodash": "^4.17.21", "fake-malicious-npm-package": "1.0.0" } } ```