vet

command module
v0.0.6-dev Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 7, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

README

vet

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

CodeQL

TL;DR

Ensure $(go env GOPATH)/bin is in your $PATH

Install using go get

go install github.com/safedep/vet@latest

Alternatively, look at Releases for a pre-built binary for your platform. SLSA Provenance is published along with each binary release.

Get a trial API key for Insights API access

vet auth trial --email john.doe@example.com

A time limited trial API key will be sent over email.

Configure vet to use API Key to access Insights API

vet auth configure

Insights API is used to enrich OSS packages with meta-data for rich query and policy decisions

Run vet to identify risks

vet scan -D /path/to/repository

or scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Use vet scan parsers to list supported package manifest parsers

The default scan uses an opinionated Summary Reporter which presents a consolidated summary of findings. Thats NOT about it. Read more for expression based filtering and policy evaluation.

Filtering

Find dependencies that seems not very popular

vet scan --lockfiles /path/to/pom.xml --report-summary=false \
    --filter='projects.exists(x, x.stars < 10)'

Find dependencies with a critical vulnerability

vet scan --lockfiles /path/to/pom.xml --report-summary=false \
    --filter='vulns.critical.exists_one(x, true)'

Use filtering along with query command for offline slicing and dicing of enriched package manifests. Read filtering guide

Common Expressions Language is used to evaluate filters on packages. Learn more about filtering with vet. Look at filter input spec on attributes available to the filter expression.

Policy Evaluation

TODO

FAQ

How do I disable the stupid banner?

Set environment variable VET_DISABLE_BANNER=1

Can I use this tool without an API Key for Insight Service?

Probably no. All useful data (enrichments) for a detected package comes from a backend service. The service is rate limited with quotas to prevent abuse.

Look at api/insights-v1.yml. It contains the contract expected for Insights API. You can perhaps consider rolling out your own to avoid dependency with our backend.

Something is wrong! How do I debug this thing?

Run without the eye candy UI and enable log to file or to stdout.

Log to stdout:

vet scan -D /path/to/repo -s -l- -v

Log to file:

vet scan -D /path/to/repo -l /tmp/vet.log -v

References

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
gen
controlplane
Package controlplane provides primitives to interact with the openapi HTTP API.
 Package controlplane provides primitives to interact with the openapi HTTP API.
filterinput
insightapi
Package insightapi provides primitives to interact with the openapi HTTP API.
 Package insightapi provides primitives to interact with the openapi HTTP API.
internal
auth
ui
pkg
analyzer
common/logger
common/utils
models
parser
policy
reporter
scanner

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.