🙌 Refer to https://safedep.io/docs for the documentation 📖

Automate Open Source Package Vetting in CI/CD

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

🔥 vet in action

Getting Started

• Download the binary file for your operating system / architecture from the Official GitHub Releases

• You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

• Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

• Get an API key for the vet insights data access for performing the scan. Alternatively, look at using community endpoint without API key

vet auth trial --email john.doe@example.com

A time limited trial API key will be sent over email.

• Configure vet to use API key to access the insights

vet auth configure

Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable VET_API_KEY

• You can verify the configured key is successful by running the following command

vet auth verify

Using Community Mode

Community mode can be used to avoid registering and obtaining an API key.

vet auth configure --community

Running Scan

• Run vet to identify risks

vet scan -D /path/to/repository

• You can also scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Example Security Gate using vet to prevent introducing new OSS dependency risk in an application.

Scanning SBOM

• To scan an SBOM in CycloneDX format

vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx

• To scan an SBOM in SPDX format

vet scan --lockfiles /path/to/spdx-sbom.json --lockfile-as bom-spdx

Note: SBOM scanning feature is currently in experimental stage

Scanning Github Repositories

• Setup github access token to scan private repo

vet connect github

Alternatively, set GITHUB_TOKEN environment variable with Github PAT

• To scan remote Github repositories, including private ones

vet scan --github https://github.com/safedep/vet

Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.

Available Parsers

• To list supported package manifest parsers including experimental modules

vet scan parsers --experimental

📖 Documentation

• Refer to https://safedep.io/docs for the detailed documentation

🎊 Community

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

• Join the server using the link - https://rebrand.ly/safedep-community

🔖 References

• https://github.com/google/osv-scanner