Created and maintained by https://safedep.io with contributions from the community 🚀

vet is a tool for identifying risks in open source software supply chain. It goes beyond just vulnerabilities and provides visibility on OSS package risks due to it's license, popularity, security hygiene, and more. vet is designed with the goal of helping software development teams consume safe and trusted OSS components through automated vetting in CI/CD.

• Getting Started
  • Running Scan
    • Scanning Binary Artifacts
    • Scanning SBOM
    • Scanning Github Repositories
    • Scanning Github Organization
    • Scanning Package URL
    • Available Parsers
• Policy as Code
• Query Mode
• Reporting
• CI/CD Integration
  • 📦 GitHub Action
  • 🚀 GitLab CI
• 🐙 Malicious Package Analysis
• 🛠️ Advanced Usage
• 📖 Documentation
• 🎊 Community
• 💻 Development
• Support
• Star History
• 🔖 References

• Download the binary file for your operating system / architecture from the Official GitHub Releases

• You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

• Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

• Also available as a container image

docker run --rm -it ghcr.io/safedep/vet:latest version

Note: Container image is built for x86_64 Linux only. Use a pre-built binary or build from source for other platforms.

• Run vet to identify risks by scanning a directory

vet scan -D /path/to/repository

• Run vet to scan specific (supported) package manifests

vet scan -M /path/to/pom.xml
vet scan -M /path/to/requirements.txt
vet scan -M /path/to/package-lock.json

Note: --lockfiles is generalized to -M or --manifests to support additional types of package manifests or other artifacts in future.

• Scan a Java JAR file

vet scan -M /path/to/app.jar

Suitable for scanning bootable JARs with embedded dependencies

• Scan a directory with JAR files

vet scan -D /path/to/jars --type jar

• Scan an SBOM in CycloneDX format

vet scan -M /path/to/cyclonedx-sbom.json --type bom-cyclonedx

• Scan an SBOM in SPDX format

vet scan -M /path/to/spdx-sbom.json --type bom-spdx

Note: --type is a generalized version of --lockfile-as to support additional artifact types in future.

Note: SBOM scanning feature is currently in experimental stage

• Setup github access token to scan private repo

vet connect github

Alternatively, set GITHUB_TOKEN environment variable with Github PAT

• To scan remote Github repositories, including private ones

vet scan --github https://github.com/safedep/vet

Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.

You must setup the required access for scanning private repositories before scanning organizations

vet scan --github-org https://github.com/safedep

Note: vet will block and wait if it encounters Github secondary rate limit.

• To scan a purl

vet scan --purl pkg:/gem/[email protected]

• List supported package manifest parsers including experimental modules

vet scan parsers --experimental

vet uses Common Expressions Language (CEL) as the policy language. Policies can be defined to build guardrails preventing introduction of insecure components.

• Run vet and fail if a critical or high vulnerability was detected

vet scan -D /path/to/code \
    --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
    --filter-fail

• Run vet and fail if a package with a specific license was detected

vet scan -D /path/to/code \
    --filter 'licenses.exists(p, "GPL-2.0")' \
    --filter-fail

Note: Using licenses.contains_license(...) is recommended for license matching due to its support for SPDX expressions.

• vet supports SPDX License Expressions at package license and policy level

vet scan -D /path/to/code \
    --filter 'licenses.contains_license("LGPL-2.1+")' \
    --filter-fail

• Run vet and fail based on OpenSSF Scorecard attributes

vet scan -D /path/to/code \
    --filter 'scorecard.scores.Maintained == 0' \
    --filter-fail

For more examples, refer to documentation

• Run scan and dump internal data structures to a file for further querying

vet scan -D /path/to/code --json-dump-dir /path/to/dump

• Filter results using query command

vet query --from /path/to/dump \
    --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)'

• Generate report from dumped data

vet query --from /path/to/dump --report-json /path/to/report.json

vet supports generating reports in multiple formats during scan or query execution.

• vet is available as a GitHub Action, refer to vet-action

• vet can be integrated with GitLab CI, refer to vet-gitlab-ci

vet supports scanning for malicious packages using SafeDep Cloud API which requires an API key.

• To setup an API key for malicious package scanning

vet cloud quickstart

• Run a scan and check for malicious packages

vet scan -D /path/to/code --malware

Note: vet will submit identified packages to SafeDep Cloud for analysis and wait for a timeout period for response. Not all package analysis may be completed within the timeout period. However, subsequent scans will fetch the results if available and lead to increased coverage over time. Adjust the timeout using --malware-analysis-timeout flag.

• Threat Hunting with vet
• Policy as Code
• Exceptions and Overrides

• Refer to https://safedep.io/docs for the detailed documentation

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

• Join the Discord server using the link - https://rebrand.ly/safedep-community

Refer to CONTRIBUTING.md

SafeDep provides enterprise support for vet deployments. Check out SafeDep Cloud for large scale deployment and management of vet in your organization.

• https://github.com/google/osv-scanner
• https://github.com/anchore/syft
• https://deps.dev/
• https://securityscorecards.dev/
• https://slsa.dev/