mirror of https://github.com/safedep/vet.git synced 2025-12-10 00:22:08 -06:00

History

add support for publishing vet to npm (#563 )

* add support for publishing vet to npm

* Update .github/workflows/publish-npm.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Sahil Bansal <bansalsahil315@gmail.com>

* update npm package readme

---------

Signed-off-by: Sahil Bansal <bansalsahil315@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

2025-08-12 22:02:33 +05:30

bin

add support for publishing vet to npm (#563 )

2025-08-12 22:02:33 +05:30

.npmignore

add support for publishing vet to npm (#563 )

2025-08-12 22:02:33 +05:30

config.js

add support for publishing vet to npm (#563 )

2025-08-12 22:02:33 +05:30

install.js

add support for publishing vet to npm (#563 )

2025-08-12 22:02:33 +05:30

package.json

add support for publishing vet to npm (#563 )

2025-08-12 22:02:33 +05:30

README.md

add support for publishing vet to npm (#563 )

2025-08-12 22:02:33 +05:30

README.md

🔍 vet

Enterprise-grade open source software supply chain security in one CLI.

This package delivers the vet binary via npm for teams that prefer Node.js tooling for install & upgrades.

✨ What It Does

Detects vulnerabilities (context & usage aware)
Flags malicious / typosquatted packages (active + reputation)
Enforces “Policy as Code” (licenses, popularity, scorecards) with CEL filters
Works across ecosystems: npm, PyPI, Maven, Go, containers, SBOMs
Outputs actionable reports: JSON, SARIF, Markdown, CycloneDX SBOM

📦 Install

npm install -g @safedep/vet

Or using Homebrew:

brew tap safedep/tap
brew install safedep/tap/vet

Check:

vet version

(Alternative installs: brew, direct binary, see upstream README)

⚡ Quick Start

# Scan current project (auto-detect lock/manifests)
vet scan -D .

# Scan a specific manifest
vet scan -M package-lock.json

🛡 Basic Policies

# Fail on critical vulns
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail

# License guard (example)
vet scan -D . --filter 'licenses.contains_license("GPL-3.0")' --filter-fail

# Scorecard maintenance threshold
vet scan -D . --filter 'scorecard.scores.Maintained < 5' --filter-fail

🔬 Malware Detection

# Setup (get API key)
vet cloud quickstart

# Active malicious package analysis
vet scan -D . --malware

# Known-malicious lookup only (no key)
vet scan -D . --malware-query

📊 Reports

vet scan -D . \
  --report-json=report.json \
  --report-sarif=report.sarif \
  --report-markdown=report.md

Generate SBOM:

vet scan -D . --report-cdx=sbom.json

🧪 Re-query Saved Data

vet scan -D . --json-dump-dir ./.vet-scan
vet query --from ./.vet-scan --filter 'vulns.high.exists(p, true)'

🤖 Integrations

GitHub Action: safedep/vet-action

GitLab Component: safedep/ci-components/vet

Container: ghcr.io/safedep/vet

For complete documentation, advanced usage, troubleshooting, and more information, please visit: github.com/safedep/vet