Skip to content

Security & DevGuard integration

The security of your software is not an afterthought, but a fundamental part of responsible development. That's why the DevGuard service is directly integrated into gitlab.opencode.de.

DevGuard helps you identify security vulnerabilities early on, keep dependencies transparent, and continuously comply with security standards.

What is DevGuard?

DevGuard is an open-source tool for automated security analysis of software projects. Among other things, it supports:

  • Dependency analysis (dependency scans)
  • Detection of known security vulnerabilities (CVEs)
  • Creation and evaluation of SBOMs (software bills of materials)
  • Sharing security-related documentation such as SBOMS as attestations.

Integration is done directly via GitLab and is already set up for projects on openCode.

Requirements

In order for DevGuard to be used effectively, the following requirements must be met:

  • The project is located at https://gitlab.opencode.de
  • You have at least the role of Maintainer in the project
  • A functioning CI/CD pipeline is available or planned

Enable DevGuard in the project

Visit devguard.opencode.de and navigate to your desired repository after logging in. The directory structure mirrors the familiar GitLab structure.

Select Auto-Setup. DevGuard will now integrate automatically.

After the next pipeline run, the security analyses will be performed automatically.

Info

The specific configuration of DevGuard may vary depending on the project. For complex requirements, refer to the current specifications in the Upstream DevGuard documentation.

Results of the security analyses

After the pipeline has been successfully executed, the results are available:

  • directly in the GitLab pipeline
  • in the corresponding security reports in DevGuard
  • in the dependency and license analyses.

Any vulnerabilities found can now be assessed and remedied in a timely manner. A swift response is recommended, especially for publicly visible projects.

Dealing with security vulnerabilities

If a critical security vulnerability is discovered in your project:

  • Assess the impact on your project
  • Prioritize the fix
  • Document the change in a traceable manner in the project
  • Inform affected users if necessary

For particularly serious security incidents, coordinated disclosure may be appropriate.

Security as an ongoing task

Security is not a one-time step, but an ongoing process:

  • Keep dependencies up to date
  • Check DevGuard reports regularly
  • Remove components that are no longer needed
  • Document security-related decisions

Frequently asked questions and problems

Is DevGuard mandatory?

The use of DevGuard is recommended on openCode, especially for public projects. Depending on the organizational framework, there may be binding requirements for vulnerability management, for which DevGuard could be the tool of choice.

Who can see the security results?

The results are visible to project members according to their role. Public security reports should only be published after careful review.

Does DevGuard replace manual security testing?

No. Automated analyses are an important tool, but they do not replace professional evaluation by developers or security experts.

With the DevGuard integration, openCode provides a central tool for delivering secure, maintainable, and trustworthy open-source software.