# Explanation - [ ] index.mdx # Explanation overview ## core-concepts - [x] what-is-devguard.mdx # Core mission - [x] organizations-projects-assets.mdx # Hierarchy - [x] asset-versions.mdx # Branching model - [x] artifacts.mdx # Artifact concept - [x] vulnerability-types.mdx # Dependency vs. first-party - [x] risk-scoring.mdx # Risk calculation - [x] sbom-vex-relationship.mdx # SBOM vs VEX ## architecture - [ ] system-overview.mdx # High-level architecture (DIAGRAM) - [ ] data-flow.mdx # Data flow (DIAGRAM) - [ ] security-model.mdx # Security architecture (DIAGRAM) - [ ] database-schema.mdx # Database design - [ ] authentication-flow.mdx # Auth (Kratos integration) - [ ] scanner-architecture.mdx # Scanner design - [ ] scalability.mdx # Horizontal scaling ## vulnerability-management - [x] vulnerability-lifecycle.mdx # Vuln states - [x] risk-assessment-methodology.mdx # CIA + EPSS + CVSS - [x] mitigation-strategies.mdx # How to mitigate - [x] false-positive-detection.mdx # Why false positives - [x] vulnerability-events.mdx # Event system - [x] external-vuln-sync.mdx # Third-party sync ## dependency-management - [ ] dependency-resolution.mdx # How deps are resolved - [ ] dependency-graph.mdx # Graph visualization - [ ] transitive-dependencies.mdx # Direct vs transitive - [ ] version-matching.mdx # Semver matching - [ ] package-ecosystems.mdx # npm, PyPI, Go, Maven, etc. ## license-management - [x] license-detection.mdx # How licenses are detected - [x] license-compliance.mdx # Legal compliance ## supply-chain-security - [x] what-is-supply-chain-security.mdx # Overview - [x] in-toto-framework.mdx # In-toto explained - [x] attestations.mdx # Attestation types - [x] supply-chain-verification.mdx # Verification process - [x] slsa-framework.mdx # SLSA levels - [x] provenance-tracking.mdx # Build provenance ## compliance - [x] why-compliance-matters.mdx # Business case - [x] cyber-resilience-act.mdx # EU CRA explained - [x] iso-27001-mapping.mdx # ISO requirements - [x] csaf-vex-explained.mdx # CSAF/VEX standards - [x] sbom-standards.mdx # CycloneDX vs SPDX - [x] audit-trails.mdx # Audit logging ## security - [ ] dependency-proxy-security.mdx # Proxy security model - [ ] malicious-package-detection.mdx # OSSF DB integration - [ ] cache-integrity.mdx # SHA256 verification - [ ] rbac-model.mdx # Casbin RBAC - [ ] api-security.mdx # API security - [ ] secrets-management.mdx # PAT handling ## integrations - [ ] integration-architecture.mdx # How integrations work - [ ] github-integration.mdx # GitHub App design - [ ] gitlab-integration.mdx # GitLab integration - [ ] jira-integration.mdx # Jira integration - [ ] webhook-system.mdx # Webhook design - [ ] external-entity-providers.mdx # External auth ## advanced-topics - [ ] daemon-pipeline.mdx # Background jobs - [ ] open-source-insights.mdx # Google OSI integration - [ ] fixed-version-detection.mdx # Auto-fix detection - [ ] statistics-calculation.mdx # Risk history (Patrick) - [ ] multi-tenancy.mdx # Org isolation - [ ] performance-optimization.mdx # Scaling tips
Explanation
core-concepts
architecture
vulnerability-management
dependency-management
license-management
supply-chain-security
compliance
security
integrations
advanced-topics