safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 00:22:08 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity
60 Commits 45 Branches 79 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
abhisek d63b920974
Add docker usage instructions in README
2023-03-23 17:20:18 +05:30
.github/workflows
Add top level permission for GH actions
2023-02-19 17:55:50 +05:30
api
Refactor to support customer experimental parsers
2023-03-21 12:23:31 +05:30
docs
Update blurb text
2023-03-23 16:30:34 +05:30
gen
Refactor to support customer experimental parsers
2023-03-21 12:23:31 +05:30
internal
#7: Add support for verify auth before scan
2023-03-10 10:33:41 +05:30
pkg
Publish events from Filter anlayzer module
2023-03-23 16:34:08 +05:30
samples
#13: Add spec for exceptions management
2023-02-21 11:18:40 +05:30
.gitignore
Add goreleaser
2023-01-12 20:32:21 +05:30
.goreleaser.yaml
Update goreleaser
2023-01-12 20:41:52 +05:30
auth.go
#7: Add support for verify auth before scan
2023-03-10 10:33:41 +05:30
Dockerfile
Add filter suite option for scan
2023-02-18 18:01:35 +05:30
go.mod
Refactor to support customer experimental parsers
2023-03-21 12:23:31 +05:30
go.sum
Refactor to support customer experimental parsers
2023-03-21 12:23:31 +05:30
LICENSE
Initial commit
2022-12-30 09:09:03 +05:30
main.go
Add exceptions loader in main
2023-02-21 19:42:44 +05:30
Makefile
#7: Add support for auth verify command
2023-03-09 18:32:43 +05:30
query.go
Add exceptions generate analyzer
2023-02-22 19:06:48 +05:30
README.md
Add docker usage instructions in README
2023-03-23 17:20:18 +05:30
scan.go
#7: Add support for verify auth before scan
2023-03-10 10:33:41 +05:30
version.go
Add goreleaser
2023-01-12 20:32:21 +05:30

README.md

vet

Automate Open Source Package Vetting in CI/CD

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

OpenSSF Scorecard CodeQL Scorecard supply-chain security

Demo

vet Demo

TL;DR

Scan a repository for OSS dependency risks with auto-detection of package manifests

vet scan -D /path/to/repo

Note: An API key is required for vet to fetch package metadata. Refer Getting Started on how to obtain an API key.

vet Summary Demo

Example Security Gate using vet to prevent introducing new OSS dependency risk in an application.

Getting Started

As Docker Container

Run vet as a docker container without any installation

docker run --rm -it -v /path/to/your/source:/target \
    -e VET_API_KEY=... \
    ghcr.io/safedep/vet:latest \
    scan -D /target

Build from Source

To build from source, install using go get

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

Alternatively, look at Releases for a pre-built binary for your platform. SLSA Provenance is published along with each binary release.

Obtain API Key

Get an API key for Insights API access

vet auth trial --email john.doe@example.com

A time limited API key will be sent over email.

Configure vet to use API Key to access Insights API

vet auth configure

Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable VET_API_KEY

Verify authentication token is valid

vet auth verify

Run vet to identify risks in a source repository

vet scan -D /path/to/repository

or scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

or scan a supported package manifest with a non-standard name

vet scan --lockfiles /path/to/gradle-compileOnly.lock --lockfile-as gradle.lockfile

Use vet scan parsers to list supported package manifest parsers

The default scan uses an opinionated Summary Reporter which presents a consolidated summary of findings. Thats NOT about it. Read more for expression based filtering and policy evaluation.

Policy Control

Policies are written using a DSL. A group of policies can be applied using vet to build a security gate in CI/CD.

Start by copying a sample policy

curl -LO https://raw.githubusercontent.com/safedep/vet/main/samples/filter-suites/fs-generic.yml

Run a scan with policies and configure the scanner to fail in case of policy violation

vet scan -D /path/to/dir --filter-suite fs-generic.yml --filter-fail

Read more about underlying capability using which policy control is implemented in filtering guide

Exceptions Management

Projects may have legacy libraries that will fail any reasonable security policy. Legacy libraries can be added as time bounded exceptions to the policies to place strict control on any new library while legacy library can be upgraded over time.

Exception rules can be generated using the query workflow to temporarily ignore (or snooze) existing issues when using vet for the first time. This helps in establishing security gating to prevent introduction of new security issues while existing issues are being remediated.

Use exception rules during scan to ignore specific packages

vet scan -D /path/to/repo -e /path/to/exceptions.yml

For more information on generating exceptions, refer to exceptions guide

The generated exceptions file, when combined with policy control, can be used to setup a security gate to prevent introducing new issues while ignoring the existing backlog for a period of time.

vet scan -D /path/to/dir \
    --filter-suite fs-generic.yml --filter-fail
    -e /path/to/exceptions.yml

Exploring OSS Risks using Filters

Find dependencies that seems not very popular

vet scan --lockfiles /path/to/pom.xml --report-summary=false \
    --filter='projects.exists(x, x.stars < 10)'

Find dependencies with a critical vulnerability

vet scan --lockfiles /path/to/pom.xml --report-summary=false \
    --filter='vulns.critical.exists_one(x, true)'

Use filtering along with query command for offline slicing and dicing of enriched package manifests. Read filtering guide

Learn more about filtering with vet. Look at filter input spec on attributes available to the filter expression.

FAQ

How do I disable the stupid banner?

Set environment variable VET_DISABLE_BANNER=1

Can I use this tool without an API Key for Insight Service?

Probably no. All useful data (enrichments) for a detected package comes from a backend service. The service is rate limited with quotas to prevent abuse.

Look at api/insights-v1.yml. It contains the contract expected for Insights API. You can perhaps consider rolling out your own to avoid dependency with our backend.

Something is wrong! How do I debug this thing?

Run without the eye candy UI and enable log to file or to stdout.

Log to stdout:

vet scan -D /path/to/repo -s -l- -v

Log to file:

vet scan -D /path/to/repo -l /tmp/vet.log -v

Which all ecosystems are supported?

  • Java
  • Go
  • Javascript / NodeJS
  • Python

References

Description
Next Generation Software Composition Analysis (SCA) with Malicious Package Detection, Code Context & Policy as Code
devsecopsgolanghacktoberfestnpmpolicy-as-codepypirubygemssecuritysoftware-composition-analysisstatic-analysissupply-chain-security
Readme Apache-2.0 24 MiB
Releases 68
v1.12.5 Latest
2025-09-05 14:25:43 -05:00
Languages
Go 94.6%
templ 2%
Python 0.9%
Shell 0.8%
JavaScript 0.8%
Other 0.9%