DevGuard Getting Started

Log in to the Pentesterra web console. Navigate to DevGuard → API Keys in the sidebar, then click Generate New Key.

Enter a descriptive label for the key (e.g. the project or machine name) and click Generate Key.

The key is shown only once. Copy it to your clipboard and store it securely — you will need it in the next step.

Using the VS Code, Cursor, or Windsurf extension? You can skip this step — the extension automatically downloads and installs the CLI on first use. No pip required.

For terminal and CI/CD workflows, DevGuard CLI requires Python 3.9+. Install with pip:

pip install pentesterra-devguard

Or download the pre-built archive from our site:

curl -LO https://www.pentesterra.com/devguard.tar.gz
pip install devguard.tar.gz

Verify the installation:

pentesterra-devguard --help

To update to the latest version:

pentesterra-devguard update

The CLI checks for updates on each scan (at most once per 24 hours) and shows a notice when a newer version is available. Run pentesterra-devguard update to apply it.

Navigate to the root of your project and run:

pentesterra-devguard init

You will be prompted for the API URL (default: https://app.pentesterra.com) and the API key you generated in Step 1. The credentials are saved to ~/.pentestera/config.yaml with 0600 permissions.

From your project directory:

pentesterra-devguard scan

The CLI collects metadata locally — dependency lockfiles, secret patterns (masked), configurations, IDE extensions, and AI toolchain settings — then uploads the redacted payload to the Pentesterra cloud for analysis.

Options:

Example with options:

pentesterra-devguard scan . --project my-app --mode deep --no-wait

After the scan completes, view the results:

pentesterra-devguard results <scan_id>

Other useful commands:

All commands support --json for machine-readable output:

pentesterra-devguard --json scan .

DevGuard is available as a native extension for VS Code, Cursor, and Windsurf. The extension is zero-setup: it automatically downloads and installs the CLI on first use — no separate pip install needed.

Option A — VS Code Marketplace (recommended, auto-updates)

Search for Pentesterra DevGuard in the Extensions panel, or install from the command line:

code --install-extension pentesterra.pentesterra-devguard

Marketplace installs update automatically with VS Code's built-in update mechanism.

Option B — Download .vsix from our site (also auto-updates)

# VS Code
code --install-extension devguard.vsix

# Cursor
cursor --install-extension devguard.vsix

# Windsurf
windsurf --install-extension devguard.vsix

Or download the VSIX and install via Extensions → Install from VSIX in your IDE. When installed from our site, the extension checks for updates automatically (once per 24 hours) and offers a one-click update with SHA256 integrity verification.

After installation, open the command palette (Cmd+Shift+P / Ctrl+Shift+P) and run DevGuard: Configure API Key. The sidebar shows connection status, projects, and scan history.

Click Run Scan in the sidebar or use the command palette. Results appear directly in the IDE with severity badges, risk categories, and CVE details.

All scan results are also available in the Pentesterra web console under DevGuard. The dashboard shows quota usage, overall risk score, risk categories, and recent scans.

Click on a scan to see detailed findings — CVE IDs, CVSS scores, affected packages, descriptions, and remediation links.

DevGuard can install a Git pre-push hook that automatically scans your project before code leaves your machine:

# Install the hook
pentesterra-devguard hooks install

# Check hook status
pentesterra-devguard hooks status

# Remove the hook
pentesterra-devguard hooks uninstall

If critical or high-severity findings are detected, the push is blocked. Configure the threshold with --fail-threshold. Bypass when needed with git push --no-verify.

In the IDE extension, use the Install Git Hooks action in the sidebar or the command palette.

DevGuard follows a privacy-first architecture. No source code is ever uploaded. Only the following metadata is collected:

• Dependencies — package names and versions from lockfiles
• Secrets metadata — type, file path, line number, and masked fingerprint (actual values are never transmitted)
• Misconfigurations — known config issues in Dockerfile, .env, docker-compose
• Project metadata — tech stack hints, file count, framework signatures

Use --dry-run to inspect the exact payload before any data is sent.

DevGuard parses 15 lockfile formats across 10 ecosystems:

DevGuard scan results feed directly into Pentesterra's Attack Chain Analysis engine, available on the Vibe Coding Pro — Extended Dev Security plan (Tier 2).

The engine correlates DevGuard findings — vulnerable dependencies, exposed secrets, misconfigured containers, outdated runtimes, AI toolchain risks — with network and web pentest data to compute realistic multi-step attack paths. It answers the question: "If this dependency is exploited, what can an attacker reach next?"

What Attack Chain Analysis produces:

• Ranked attack paths — scored chains from initial entry point to final impact (RCE, data exfiltration, lateral movement)
• Confirmed vs. theoretical steps — each step shows whether a real finding backs it or it's a projected risk
• Business impact mapping — financial risk categories and affected services per chain
• Compliance gaps — OWASP, PCI-DSS, GDPR, NIST, ISO 27001 controls at risk
• AI executive narrative — plain-language summary for security teams and management

DevGuard-only analysis is fully supported — even without network scan or web pentest data, the engine builds chains from supply chain and code security findings alone. To trigger analysis, open the Attack Chains section in the Pentesterra web console and select the DevGuard project linked to your asset.

Common issues and how to resolve them: