safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 13:43:01 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity

Fixed README & Moved docs

Browse Source
This commit is contained in:
Madhu Akula 2023-03-30 01:31:25 +02:00
parent 93bbc74981
commit 2300ea0844
No known key found for this signature in database
GPG Key ID: BA08C1547EA7FFD3
2 changed files with 1 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -1,5 +1,5 @@
<h1 align="center">
vet
<img alt="Kubernetes Goat" src="docs/static/img/vet-logo.png" width="150" />
</h1>
<p align="center">
🙌 Refer to <b><a href="https://safedep.io/docs/">https://safedep.io/docs</a></b> for the documentation 📖
@ -11,8 +11,6 @@
[![CodeQL](https://github.com/safedep/vet/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/safedep/vet/actions/workflows/codeql.yml)
[![Scorecard supply-chain security](https://github.com/safedep/vet/actions/workflows/scorecard.yml/badge.svg)](https://github.com/safedep/vet/actions/workflows/scorecard.yml)
**🙌 Refer to [https://safedep.io/docs](https://safedep.io/docs) for the documentation 📖**
![vet banner](docs/static/img/vet/vet-banner.png)
## Automate Open Source Package Vetting in CI/CD

30
docs/why-vet.md
View File

@ -1,30 +0,0 @@
# Why vet?
> It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions.
<!-- Problem Space -->
Product security practices target software developed and deployed internally.
They do not cover software consumed from external sources in form of libraries
from the Open Source ecosystem. The growing risk of vulnerable, unmaintained
and malicious dependencies establishes the need for product security teams to
vet 3rd party dependencies before consumption.
<!-- Current State -->
Vetting open source packages is largely a manual and opinionated process
involving engineering teams as the requester and security teams as the service
provider. A typical OSS vetting process involves auditing dependencies to
ensure security, popularity, license compliance, trusted publisher etc. The
manual nature of this activity increases cycle time and slows down engineering
velocity, especially for evolving products.
<!-- What vet aims to solve -->
`vet` tool solves the problem of OSS dependency vetting by providing a policy
driven automated analysis of libraries. It can be seamlessly integrated with
any CI tool or used in developer / security engineer's local environment.
:link: [Get Started](https://github.com/safedep/vet)
## Reference
* https://slsa.dev/spec/v0.1/threats
* https://www.linuxfoundation.org/blog/blog/a-summary-of-census-ii-open-source-software-application-libraries-the-world-depends-on