🙌 Refer to https://safedep.io/docs for the documentation 📖

Automate Open Source Package Vetting in CI/CD

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

🔥 vet in action

Getting Started

• Download the binary file for your operating system / architecture from the Official GitHub Releases

• You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

• Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@main

• Configure vet to use community mode for Insights API

vet auth configure --community

Insights API is used to enrich OSS packages with metadata for rich query and policy decisions.

• You can verify the configured key is successful by running the following command

vet auth verify

Running Scan

• Run vet to identify risks

vet scan -D /path/to/repository

• You can also scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Example Security Gate using vet to prevent introducing new OSS dependency risk in an application.

Scanning SBOM

• To scan an SBOM in CycloneDX format

vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx

• To scan an SBOM in SPDX format

vet scan --lockfiles /path/to/spdx-sbom.json --lockfile-as bom-spdx

Note: SBOM scanning feature is currently in experimental stage

Scanning Github Repositories

• Setup github access token to scan private repo

vet connect github

Alternatively, set GITHUB_TOKEN environment variable with Github PAT

• To scan remote Github repositories, including private ones

vet scan --github https://github.com/safedep/vet

Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.

Scanning Github Organization

You must setup the required access for scanning private repositories before scanning organizations

vet scan --github-org https://github.com/safedep

Note: vet will block and wait if it encounters Github secondary rate limit.

Scanning Package URL

• To scan a purl

vet scan --purl pkg:/gem/nokogiri@1.10.4

Available Parsers

• To list supported package manifest parsers including experimental modules

vet scan parsers --experimental

📖 Documentation

• Refer to https://safedep.io/docs for the detailed documentation

🎊 Community

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

• Join the server using the link - https://rebrand.ly/safedep-community

💻 Development

Requirements

• Go 1.21+

Setup

• Install ASDF
• Install the development tools

asdf install

• Install lefthook

go install github.com/evilmartians/lefthook@latest

• Install git hooks

$(go env GOPATH)/bin/lefthook install

Build

Install build tools

make dev-setup

Generate code from API specs and build vet

make

Quick build without regenerating code from API specs

make quick-vet

Run Tests

go test -v ./...

Star History

🔖 References

• https://github.com/google/osv-scanner