DevShield Documentation

The complete guide to utilizing the Zero-Trust Security Toolkit for your CI/CD pipelines, package analysis, and credential monitoring.

Platform Capabilities

NPM Package Auditor

Fetch real-time comprehensive risk metrics for any npm package. Evaluates the National Vulnerability Database (NVD) for active Zero-Day exploits, assesses maintenance timelines, popularity metrics, and assigns a master Risk Score (0-100).

  • • CVE Vulnerability Mapping
  • • License Compliance Scanning
  • • Maintenance Health Check

Remote GitHub Scanner

Copy and paste any public GitHub repository URL into the auditor. We utilize the GitHub REST API to securely extract the `package.json` file remotely and bulk analyze every single nested dependency for security risks natively in the browser.

No installation required. Works entirely in-browser.

Visual Dependency Tree

Vulnerabilities hide in transitive dependencies (dependencies of dependencies). The interactive D3.js force-directed graph automatically maps deep dependency chains up to 2-layers deep so you can visually untangle supply chain risks.

The DevShield CLI

The DevShield CLI is designed to wrap natively into your continuous integration (CI/CD) pipelines (such as GitHub Actions or GitLab CI) to strictly block vulnerable code from reaching production.

Terminal
Run via npx:

$ npx devshield

Or install globally for permanent access:

$ npm install -g devshield

$ devshield

Pipeline Execution

When executed, the CLI will iterate through your local `package-lock.json` and communicate with vulnerability databases. If any dependency contains a HIGH or CRITICAL severity CVE, the CLI will forcefully exit with `Exit Code 1`, preventing your pull request from being merged.

Custom Thresholds

You can configure the CLI to fail on different severity levels using the --level flag. Example: npx devshield --level moderate.

Zero-Knowledge Architecture

Our credential leak monitoring utilizes strict k-Anonymity privacy architectures. When you query an email for historical breaches across our 7B+ record database, the query is cryptographically hashed via `SHA-1` directly inside your web browser.

Technical Implementation

  1. Your email is converted to a SHA-1 hash locally (e.g., 5baa61e4c9b93...).
  2. We take only the first 5 characters (5baa6) and send them to our API.
  3. The API returns all known breached hashes starting with 5baa6.
  4. Your browser checks if your full hash is in that list.

Only the first 5 characters of the hash are transmitted to our Edge APIs to find bucketed prefix-matches, ensuring your plaintext passwords and identifiers are completely obfuscated from our network layer. We see nothing, and we log nothing.

Developer Security Best Practices

Maintaining a secure development environment is a continuous process. Here are our top recommendations:

1

Never commit .env files or hardcoded credentials to version control.

2

Use npm audit or DevShield CLI in every CI/CD pipeline run.

3

Enable 2FA on your npm, GitHub, and cloud provider accounts.

4

Keep your global dependencies updated to patch security holes in dev tools.

Generated & Secured by DevShield API