README
ΒΆ
SafeDep VET
π‘οΈ Real-time malicious package detection & software supply chain security
Quick Start β’ Documentation β’ Community
[!NOTE]
vetsupports special mode for Agent Skills. Runvet scan --agent-skill <owner/repo>to scan an Agent Skill hosted in a GitHub repository.
π― Why vet?
70-90% of modern software constitute code from open sources β How do we know if it's safe?
vet is an open source software supply chain security tool built for developers and security engineers who need:
β
Real-time malicious package detection β Active scanning and analysis of unknown packages
β
Modern SCA with actual usage analysis β Prioritize real risks over vulnerability noise
β
Policy as Code β Express security requirements using CEL expressions
Hosted SaaS version available at SafeDep Cloud. Get started with GitHub App and other integrations.
β‘ Quick Start
Install in seconds:
# macOS & Linux
brew install safedep/tap/vet
or download a pre-built binary
Get started immediately:
# Scan for malware in your dependencies
vet scan -D . --malware-query
# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
# Get API key for advanced malware detection
vet cloud quickstart
π¦ Architecture
graph TB
subgraph "OSS Ecosystem"
R1[npm Registry]
R2[PyPI Registry]
R3[Maven Central]
R4[Other Registries]
end
subgraph "SafeDep Cloud"
M[Continuous Monitoring]
A[Real-time Code Analysis<br/>Malware Detection]
T[Threat Intelligence DB<br/>Vulnerabilities β’ Malware β’ Scorecard]
end
subgraph "vet CLI"
S[Source Repository<br/>Scanner]
P[CEL Policy Engine]
O[Reports & Actions<br/>SARIF/JSON/CSV]
end
R1 -->|New Packages| M
R2 -->|New Packages| M
R3 -->|New Packages| M
R4 -->|New Packages| M
M -->|Behavioral Analysis| A
A -->|Malware Signals| T
S -->|Query Package Info| T
T -->|Security Intelligence| S
S -->|Analysis Results| P
P -->|Policy Decisions| O
style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a
π Key Features
π‘οΈ Malicious Package Detection
Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.
π΅οΈ Smart Vulnerability Analysis
Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks.
See dependency usage evidence for details.
π Policy as Code
Define security policies using CEL expressions to enforce context specific requirements:
# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail
# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail
# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail
π― Multi-Ecosystem Support
Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
Container images: Docker, OCI
SBOM formats: CycloneDX, SPDX
Source repositories: GitHub, GitLab
π‘οΈ Malicious Package Detection
Real-time protection against malicious packages with active scanning and behavioral analysis.
π Quick Setup
# One-time setup for advanced scanning
vet cloud quickstart
# Scan for malware with active scanning (requires API key)
vet scan -D . --malware
# Query known malicious packages (no API key needed)
vet scan -D . --malware-query
Example detections:
- MAL-2025-3541: express-cookie-parser
- MAL-2025-4339: eslint-config-airbnb-compat
- MAL-2025-4029: ts-runtime-compat-check
Key security features:
- β Real-time analysis against known malware databases
- β Behavioral analysis using static and dynamic analysis
- β Zero-day protection through active code scanning
- β Human-in-the-loop triaging for high-impact findings
- β Public analysis log for transparency
π― Advanced Usage
# Specialized scans
vet scan --vsx --malware # VS Code extensions
vet scan -D .github/workflows --malware # GitHub Actions
vet scan --image nats:2.10 --malware # Container images
# Analyze specific packages
vet inspect malware --purl pkg:npm/nyc-config@10.0.0
π Production Ready Integrations
π¦ GitHub Actions
Zero-config security guardrails in CI/CD:
- uses: safedep/vet-action@v1
with:
policy: ".github/vet/policy.yml"
See vet-action documentation.
π§ GitLab CI
Enterprise scanning with vet CI Component:
include:
- component: gitlab.com/safedep/ci-components/vet/scan@main
π³ Container Integration
Run vet anywhere using our container image:
docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware
π¦ Installation
πΊ Homebrew (Recommended)
brew tap safedep/tap
brew install safedep/tap/vet
π₯ Direct Download
See releases for pre-built binaries.
πΉ Go Install
go install github.com/safedep/vet@latest
π³ Container Image
# Quick test
docker run --rm ghcr.io/safedep/vet:latest version
# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace
βοΈ Verify Installation
vet version
# Should display version and build information
π Advanced Features
Learn more in our comprehensive documentation:
- MCP Server - Run vet as an MCP server for AI-assisted code analysis
- AI Agent Mode - Run vet as an AI agent
- Reporting - SARIF, JSON, CSV, HTML, Markdown formats
- SBOM Support - CycloneDX, SPDX import/export
- Query Mode - Scan once, analyze multiple times
- GitHub Integration - Repository and organization scanning
π Privacy
vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.
# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true
π Community & Support
π Join the Community
π‘ Get Help & Share Ideas
- π Interactive Tutorial - Learn vet hands-on
- π Complete Documentation - Comprehensive guides
- π¬ Discord Community - Real-time support
- π Issue Tracker - Bug reports & feature requests
- π€ Contributing Guide - Join the development
β Star History
π Built With Open Source
vet stands on the shoulders of giants:
OSV β’ OpenSSF Scorecard β’ SLSA β’ OSV-SCALIBR β’ Syft
β‘ Secure your supply chain today. Star the repo β and get started!
Created with β€οΈ by SafeDep and the open source community
Documentation
ΒΆ
There is no documentation for this package.
Source Files
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
Package agent declares the building blocks for implement vet agent.
|
Package agent declares the building blocks for implement vet agent. |
|
cmd
|
|
|
agent
Package agent provides a CLI for running agents.
|
Package agent provides a CLI for running agents. |
|
gen
|
|
|
cpv1
Package cpv1 provides primitives to interact with the openapi HTTP API.
|
Package cpv1 provides primitives to interact with the openapi HTTP API. |
|
insightapi
Package insightapi provides primitives to interact with the openapi HTTP API.
|
Package insightapi provides primitives to interact with the openapi HTTP API. |
|
internal
|
|
|
analytics
analytics package is for internal utility functions for tracking anonymous usage analytics.
|
analytics package is for internal utility functions for tracking anonymous usage analytics. |
|
pkg
|
|
|
analyzer/filterv2/enumgen
command
|
|
|
cloud
Package cloud contains the services for interacting with SafeDep Cloud.
|
Package cloud contains the services for interacting with SafeDep Cloud. |
|
readers
Package readers implement the various supported package manifest readers.
|
Package readers implement the various supported package manifest readers. |
|
reporter
Package reporter provides a contract for implementing reporting modules.
|
Package reporter provides a contract for implementing reporting modules. |
|
reporter/templates
templ: version: v0.3.924
|
templ: version: v0.3.924 |