SafeDep VET

🛡️ Real-time malicious package detection & software supply chain security

Quick Start • Documentation • Community

70-90% of modern software constitute code from open sources — How do we know if it's safe?

vet is an open source software supply chain security tool built for developers and security engineers who need:

✅ Real-time malicious package detection — Active scanning and analysis of unknown packages
✅ Modern SCA with actual usage analysis — Prioritize real risks over vulnerability noise
✅ Policy as Code — Express security requirements using CEL expressions

Hosted SaaS version available at SafeDep Cloud. Get started with GitHub App and other integrations.

Install in seconds:

# macOS & Linux
brew install safedep/tap/vet

or download a pre-built binary

Get started immediately:

# Scan for malware in your dependencies
vet scan -D . --malware-query

# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail

# Get API key for advanced malware detection
vet cloud quickstart

graph TB
    subgraph "OSS Ecosystem"
        R1[npm Registry]
        R2[PyPI Registry]
        R3[Maven Central]
        R4[Other Registries]
    end
    
    subgraph "SafeDep Cloud"
        M[Continuous Monitoring]
        A[Real-time Code Analysis<br/>Malware Detection]
        T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard]
    end
    
    subgraph "vet CLI"
        S[Source Repository<br/>Scanner]
        P[CEL Policy Engine]
        O[Reports & Actions<br/>SARIF/JSON/CSV]
    end
    
    R1 -->|New Packages| M
    R2 -->|New Packages| M
    R3 -->|New Packages| M
    R4 -->|New Packages| M
    M -->|Behavioral Analysis| A
    A -->|Malware Signals| T
    
    S -->|Query Package Info| T
    T -->|Security Intelligence| S
    S -->|Analysis Results| P
    P -->|Policy Decisions| O
    
    style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
    style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
    style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
    style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
    style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
    style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a

Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for details.

Define security policies using CEL expressions to enforce context specific requirements:

# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail

# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail

# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail

Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
Container images: Docker, OCI
SBOM formats: CycloneDX, SPDX
Source repositories: GitHub, GitLab

Real-time protection against malicious packages with active scanning and behavioral analysis.

# One-time setup for advanced scanning
vet cloud quickstart

# Scan for malware with active scanning (requires API key)
vet scan -D . --malware

# Query known malicious packages (no API key needed)
vet scan -D . --malware-query

Example detections:

• MAL-2025-3541: express-cookie-parser
• MAL-2025-4339: eslint-config-airbnb-compat
• MAL-2025-4029: ts-runtime-compat-check

Key security features:

• ✅ Real-time analysis against known malware databases
• ✅ Behavioral analysis using static and dynamic analysis
• ✅ Zero-day protection through active code scanning
• ✅ Human-in-the-loop triaging for high-impact findings
• ✅ Public analysis log for transparency

# Specialized scans
vet scan --vsx --malware                    # VS Code extensions
vet scan -D .github/workflows --malware     # GitHub Actions
vet scan --image nats:2.10 --malware        # Container images

# Analyze specific packages
vet inspect malware --purl pkg:npm/[email protected]

Zero-config security guardrails in CI/CD:

- uses: safedep/vet-action@v1
  with:
    policy: ".github/vet/policy.yml"

See vet-action documentation.

Enterprise scanning with vet CI Component:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@main

Run vet anywhere using our container image:

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware

brew tap safedep/tap
brew install safedep/tap/vet

See releases for pre-built binaries.

go install github.com/safedep/vet@latest

# Quick test
docker run --rm ghcr.io/safedep/vet:latest version

# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

vet version
# Should display version and build information

Learn more in our comprehensive documentation:

• MCP Server - Run vet as an MCP server for AI-assisted code analysis
• AI Agent Mode - Run vet as an AI agent
• Reporting - SARIF, JSON, CSV, HTML, Markdown formats
• SBOM Support - CycloneDX, SPDX import/export
• Query Mode - Scan once, analyze multiple times
• GitHub Integration - Repository and organization scanning

vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.

# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true

• 🚀 Interactive Tutorial - Learn vet hands-on
• 📚 Complete Documentation - Comprehensive guides
• 💬 Discord Community - Real-time support
• 🐛 Issue Tracker - Bug reports & feature requests
• 🤝 Contributing Guide - Join the development