README
¶
vet
vet is a tool for identifying risks in open source software supply chain. It
helps engineering and security teams to identify potential issues in their open
source dependencies and evaluate them against organizational policies.
Demo
TL;DR
Scan a repository for OSS dependency risks with auto-detection of package manifests
vet scan -D /path/to/repo
Getting Started
Ensure
$(go env GOPATH)/binis in your$PATH
Install using go get
go install github.com/safedep/vet@latest
Alternatively, look at Releases for a pre-built binary for your platform. SLSA Provenance is published along with each binary release.
Get a trial API key for Insights API access
vet auth trial --email john.doe@example.com
A time limited trial API key will be sent over email.
Configure vet to use API Key to access Insights API
vet auth configure
Insights API is used to enrich OSS packages with meta-data for rich query and policy decisions
Run vet to identify risks
vet scan -D /path/to/repository
or scan a specific (supported) package manifest
vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json
or scan a supported package manifest with a non-standard name
vet scan --lockfiles /path/to/gradle-compileOnly.lock --lockfile-as gradle.lockfile
Use
vet scan parsersto list supported package manifest parsers
The default scan uses an opinionated Summary Reporter which presents a consolidated summary of findings. Thats NOT about it. Read more for expression based filtering and policy evaluation.
Filtering
Find dependencies that seems not very popular
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='projects.exists(x, x.stars < 10)'
Find dependencies with a critical vulnerability
vet scan --lockfiles /path/to/pom.xml --report-summary=false \
--filter='vulns.critical.exists_one(x, true)'
Use filtering along with
querycommand for offline slicing and dicing of enriched package manifests. Read filtering guide
Learn more about filtering with vet. Look at filter input spec on attributes available to the filter expression.
Using Filter Suite
Filter suites can be used to implement security gating in CI. Example file suite contains rules to enforce generic OSS consumption best practices.
vet scan -D /path/to/dir --filter-suite /path/to/suite.yml --filter-fail
Read more about filter suites in filtering guide
Exceptions Management
Exception rules can be generated using the query workflow to temporarily
ignore (or snooze) existing issues when using vet for the first time. This
helps in establishing security gating to prevent introduction of new security
issues while existing issues are being remediated.
Use exception rules during scan to ignore specific packages
vet scan -D /path/to/repo -e /path/to/exceptions.yml
For more information, refer to exceptions guide
FAQ
How do I disable the stupid banner?
Set environment variable VET_DISABLE_BANNER=1
Can I use this tool without an API Key for Insight Service?
Probably no. All useful data (enrichments) for a detected package comes from a backend service. The service is rate limited with quotas to prevent abuse.
Look at api/insights-v1.yml. It contains the contract expected for Insights
API. You can perhaps consider rolling out your own to avoid dependency with our
backend.
Something is wrong! How do I debug this thing?
Run without the eye candy UI and enable log to file or to stdout.
Log to stdout:
vet scan -D /path/to/repo -s -l- -v
Log to file:
vet scan -D /path/to/repo -l /tmp/vet.log -v
References
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
gen
|
|
|
controlplane
Package controlplane provides primitives to interact with the openapi HTTP API.
|
Package controlplane provides primitives to interact with the openapi HTTP API. |
|
insightapi
Package insightapi provides primitives to interact with the openapi HTTP API.
|
Package insightapi provides primitives to interact with the openapi HTTP API. |
|
internal
|
|
|
pkg
|
|