safedep/vet: Next Generation Software Composition Analysis (SCA) with Malicious Package Detection, Code Context & Policy as Code - vet

safedep/vet

Fork 0

mirror of https://github.com/safedep/vet.git synced 2025-12-10 00:22:08 -06:00

Go to file

jc ea77a440f6 Added suppor to connect apps. Currently, just github is supported

2023-08-21 14:07:09 +05:30

.github

fix: enable cgo support as required by tree sitter

2023-08-18 11:27:16 +05:30

api

[WIP] Add cloud sync reporter

2023-08-06 12:08:26 +05:30

docs

chore: gofmt fixes and docs update

2023-08-17 23:21:28 +05:30

gen

fix: CycloneDX SBOM support introduced in #111

2023-08-16 17:46:29 +05:30

internal

Added suppor to connect apps. Currently, just github is supported

2023-08-21 14:07:09 +05:30

pkg

Resolved Lint Issues

2023-08-20 14:58:03 +05:30

samples

Resolved issues with go lint

2023-08-20 14:50:50 +05:30

test/samples

Resolved issues with go lint

2023-08-20 14:50:50 +05:30

.gitignore

Add goreleaser

2023-01-12 20:32:21 +05:30

.goreleaser.yaml

ci: Fix multi-platform goreleaser config

2023-08-18 12:18:40 +05:30

auth.go

Add support for using community mode endpoint

2023-04-18 17:26:21 +05:30

connect.go

Added suppor to connect apps. Currently, just github is supported

2023-08-21 14:07:09 +05:30

Dockerfile

fix: enable cgo support as required by tree sitter

2023-08-18 11:27:16 +05:30

go.mod

Added suppor to connect apps. Currently, just github is supported

2023-08-21 14:07:09 +05:30

go.sum

Added suppor to connect apps. Currently, just github is supported

2023-08-21 14:07:09 +05:30

LICENSE

Initial commit

2022-12-30 09:09:03 +05:30

main.go

Added suppor to connect apps. Currently, just github is supported

2023-08-21 14:07:09 +05:30

Makefile

[WIP] Add cloud sync reporter

2023-08-06 12:08:26 +05:30

query.go

Added support to generate json report

2023-08-17 20:46:01 +05:30

README.md

fix: CycloneDX SBOM support introduced in #111

2023-08-16 17:46:29 +05:30

scan.go

Added support to generate json report

2023-08-17 20:46:01 +05:30

version.go

Add goreleaser

2023-01-12 20:32:21 +05:30

README.md

🙌 Refer to https://safedep.io/docs for the documentation 📖

Automate Open Source Package Vetting in CI/CD

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

🔥 vet in action

Getting Started

Download the binary file for your operating system / architecture from the Official GitHub Releases
You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

Get an API key for the vet insights data access for performing the scan. Alternatively, look at using community endpoint without API key

vet auth trial --email john.doe@example.com

A time limited trial API key will be sent over email.

Configure vet to use API key to access the insights

vet auth configure

Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable VET_API_KEY

You can verify the configured key is successful by running the following command

vet auth verify

Using Community Mode

Community mode can be used to avoid registering and obtaining an API key.

vet auth configure --community

Running Scan

Run vet to identify risks

vet scan -D /path/to/repository

You can also scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Example Security Gate using vet to prevent introducing new OSS dependency risk in an application.

Scanning SBOM

To scan an SBOM in CycloneDX format

vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx

Note: SBOM scanning feature is currently in experimental stage

Available Parsers

To list supported package manifest parsers including experimental modules

vet scan parsers --experimental

📖 Documentation

Refer to https://safedep.io/docs for the detailed documentation

🎊 Community

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

Join the server using the link - https://rebrand.ly/safedep-community

🔖 References

https://github.com/google/osv-scanner

Description

Next Generation Software Composition Analysis (SCA) with Malicious Package Detection, Code Context & Policy as Code

devsecops golang hacktoberfest npm policy-as-code pypi rubygems security software-composition-analysis static-analysis supply-chain-security

Readme Apache-2.0 24 MiB

Releases 68

v1.12.5 Latest

2025-09-05 14:25:43 -05:00

Languages

Go 94.6%

templ 2%

Python 0.9%

Shell 0.8%

JavaScript 0.8%

Other 0.9%