|
1 | | -import PageContentComingSoon from '@/components/PageContentComingSoon' |
| 1 | +--- |
| 2 | +title: Your First Scan |
| 3 | +description: Run a dependency scan against your project and view results in DevGuard |
| 4 | +--- |
| 5 | + |
| 6 | +import { Callout, Steps } from 'nextra/components' |
2 | 7 |
|
3 | 8 | # Your First Scan |
4 | 9 |
|
5 | | -<PageContentComingSoon /> |
| 10 | +This guide walks you through running a dependency scan (SCA) on your project using the DevGuard scanner and viewing the results in the DevGuard UI. It takes about 5 minutes. |
| 11 | + |
| 12 | +## Prerequisites |
| 13 | + |
| 14 | +Before you begin, ensure you have: |
| 15 | + |
| 16 | +- **Docker** installed on your system |
| 17 | +- Access to a **DevGuard instance** ([DevGuard Cloud](https://app.devguard.org) or [self-hosted](/how-to-guides/administration)) |
| 18 | +- A **repository** created in DevGuard (organization → group → repository) |
| 19 | + |
| 20 | +If you need to set up a local instance from scratch, follow the [Quickstart](/getting-started) instead. |
| 21 | + |
| 22 | +## Steps |
| 23 | + |
| 24 | +<Steps> |
| 25 | + |
| 26 | +### Create a Personal Access Token |
| 27 | + |
| 28 | +The scanner authenticates with DevGuard using a personal access token (PAT). |
| 29 | + |
| 30 | +1. Log into your DevGuard instance |
| 31 | +2. Navigate to **User Settings** (click your avatar → Settings) |
| 32 | +3. Under **Personal Access Tokens**, click **Create Token** |
| 33 | +4. Give the token a descriptive name (e.g., "CLI Scanner") |
| 34 | +5. Copy the generated token — you won't be able to see it again |
| 35 | + |
| 36 | +<Callout type="warning"> |
| 37 | + Store your token securely. Never commit it to version control. Use environment variables or a secrets manager in CI/CD pipelines. |
| 38 | +</Callout> |
| 39 | + |
| 40 | +### Identify Your Asset Name |
| 41 | + |
| 42 | +Every scan targets a specific repository (called an **asset**) in DevGuard. The asset name follows this pattern: |
| 43 | + |
| 44 | +``` |
| 45 | +{org}/{projects}/{project}/{assets}/{repository} |
| 46 | +``` |
| 47 | + |
| 48 | +You can copy the full asset name from the URL when viewing your repository in the DevGuard UI. For example, if your URL is: |
| 49 | + |
| 50 | +``` |
| 51 | +https://app.devguard.org/myorg/projects/myproject/assets/myrepo |
| 52 | +``` |
| 53 | + |
| 54 | +Then your asset name is `myorg/projects/myproject/assets/myrepo`. |
| 55 | + |
| 56 | +### Run the Dependency Scan |
| 57 | + |
| 58 | +Navigate to the root of your project directory and run: |
| 59 | + |
| 60 | +```bash copy |
| 61 | +docker run -v "$(pwd):/app" ghcr.io/l3montree-dev/devguard/scanner:main-latest \ |
| 62 | + devguard-scanner sca \ |
| 63 | + --path /app/ \ |
| 64 | + --assetName="myorg/projects/myproject/assets/myrepo" \ |
| 65 | + --apiUrl="https://api.devguard.org" \ |
| 66 | + --token="YOUR_TOKEN" |
| 67 | +``` |
| 68 | + |
| 69 | +<Callout type="info"> |
| 70 | + **Self-hosted?** Replace `--apiUrl` with the URL of your DevGuard API (e.g., `http://localhost:8080`). |
| 71 | +</Callout> |
| 72 | + |
| 73 | +The scanner will: |
| 74 | +1. Detect your project's package manager and parse dependency files |
| 75 | +2. Generate a Software Bill of Materials (SBOM) |
| 76 | +3. Upload the SBOM to DevGuard |
| 77 | +4. Match all components against the vulnerability database |
| 78 | +5. Print a summary of findings to your terminal |
| 79 | + |
| 80 | +### Review the Terminal Output |
| 81 | + |
| 82 | +A successful scan produces a table like this: |
| 83 | + |
| 84 | +``` |
| 85 | +11:48AM INF scanning directory dir=/app |
| 86 | +11:49AM INF Scan completed successfully dependencyVulnAmount=4 openedByThisScan=4 closedByThisScan=0 |
| 87 | ++--------------------------------------------+----------------+------+------+---------------------+---------+--------+ |
| 88 | +| LIBRARY | VULNERABILITY | RISK | CVSS | INSTALLED | FIXED | STATUS | |
| 89 | ++--------------------------------------------+----------------+------+------+---------------------+---------+--------+ |
| 90 | +| pkg:golang/golang.org/x/crypto | CVE-2025-47914 | 0.49 | 5.3 | 0.44.0 | v0.45.0 | open | |
| 91 | +| pkg:golang/github.com/dvsekhvalnov/jose2go | CVE-2025-63811 | 0.57 | 7.5 | 1.6.0 | v1.7.0 | open | |
| 92 | +| pkg:golang/github.com/aws/aws-sdk-go | CVE-2020-8911 | 0.63 | 5.6 | 1.55.7 | | open | |
| 93 | +| pkg:pypi/requests | CVE-2024-47081 | 1.22 | 5.3 | 2.32.3 | 2.32.4 | open | |
| 94 | ++--------------------------------------------+----------------+------+------+---------------------+---------+--------+ |
| 95 | +``` |
| 96 | + |
| 97 | +| Column | Description | |
| 98 | +|---|---| |
| 99 | +| **LIBRARY** | The affected package in [Package URL](https://github.com/package-url/purl-spec) format | |
| 100 | +| **VULNERABILITY** | CVE or advisory identifier | |
| 101 | +| **RISK** | DevGuard's contextual [risk score](/explanations/core-concepts/risk-scoring) — factors in exploitability, known exploits, and dependency depth | |
| 102 | +| **CVSS** | Raw CVSS severity score | |
| 103 | +| **INSTALLED** | The version currently in your project | |
| 104 | +| **FIXED** | The version that resolves the vulnerability (empty if no fix is available) | |
| 105 | +| **STATUS** | Current vulnerability status (`open`, `fixed`, etc.) | |
| 106 | + |
| 107 | +<Callout type="info"> |
| 108 | + **No vulnerabilities found?** That's a good sign. The scan still uploaded your SBOM to DevGuard — you'll see your dependency inventory in the UI even without active vulnerabilities. |
| 109 | +</Callout> |
| 110 | + |
| 111 | +### View Results in DevGuard |
| 112 | + |
| 113 | +Open your repository in the DevGuard web UI. You'll see: |
| 114 | + |
| 115 | +- A **vulnerability overview** with detected issues sorted by risk |
| 116 | +- The **dependency inventory** generated from your SBOM |
| 117 | +- **Risk distribution** across your project's components |
| 118 | + |
| 119 | + |
| 120 | + |
| 121 | +Click on any vulnerability to see detailed information including affected versions, fix recommendations, and links to the original advisory. |
| 122 | + |
| 123 | +</Steps> |
| 124 | + |
| 125 | +## Next Steps |
| 126 | + |
| 127 | +Now that you've completed your first scan, explore additional security scanning capabilities: |
| 128 | + |
| 129 | +- **[Scan Source Code](/how-to-guides/scanning/scan-source-code)** — Run SAST, secret scanning, and IaC analysis on your codebase |
| 130 | +- **[Scan OCI Images](/how-to-guides/scanning/scan-docker-images)** — Scan container images for vulnerabilities |
| 131 | +- **[Scan with GitHub Actions](/how-to-guides/scanning/scan-with-github-actions)** — Automate scanning in CI/CD |
| 132 | +- **[Scan with GitLab CI](/how-to-guides/scanning/scan-with-gitlab-ci)** — Automate scanning in GitLab pipelines |
| 133 | +- **[DevGuard's Key Concepts](/getting-started/key-concepts)** — Understand risk scoring, vulnerability lifecycle, and more |
0 commit comments