Skip to content

safedep/vet

SafeDep Vet

Created and maintained by https://safedep.io with contributions from the community 🚀

Go Report Card License Release OpenSSF Scorecard CodeQL SLSA 3 Scorecard supply-chain security Twitter

vet banner

Policy as Code for Open Source Software Supply Chain

vet is a tool for identifying risks in open source software supply chain. It goes beyond just vulnerabilities and provides visibility on OSS package risks due to it's license, popularity, security hygiene, and more. vet is designed with the goal of helping software development teams consume safe and trusted OSS components through automated vetting in CI/CD.

🔥 vet in action

vet Demo

Getting Started

  • Download the binary file for your operating system / architecture from the Official GitHub Releases

  • You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet
  • Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest
  • Also available as a container image
docker run --rm -it ghcr.io/safedep/vet:latest version

Note: Container image is built for x86_64 Linux only. Use a pre-built binary or build from source for other platforms.

Running Scan

  • Run vet to identify risks by scanning a directory
vet scan -D /path/to/repository

vet scan directory

  • Run vet to scan specific (supported) package manifests
vet scan -M /path/to/pom.xml
vet scan -M /path/to/requirements.txt
vet scan -M /path/to/package-lock.json

Note: --lockfiles is generalized to -M or --manifests to support additional types of package manifests or other artifacts in future.

Scanning Binary Artifacts

  • Scan a Java JAR file
vet scan -M /path/to/app.jar

Suitable for scanning bootable JARs with embedded dependencies

  • Scan a directory with JAR files
vet scan -D /path/to/jars --type jar

Scanning SBOM

vet scan -M /path/to/cyclonedx-sbom.json --type bom-cyclonedx
  • Scan an SBOM in SPDX format
vet scan -M /path/to/spdx-sbom.json --type bom-spdx

Note: --type is a generalized version of --lockfile-as to support additional artifact types in future.

Note: SBOM scanning feature is currently in experimental stage

Scanning Github Repositories

  • Setup github access token to scan private repo
vet connect github

Alternatively, set GITHUB_TOKEN environment variable with Github PAT

  • To scan remote Github repositories, including private ones
vet scan --github https://github.com/safedep/vet

Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.

Scanning Github Organization

You must setup the required access for scanning private repositories before scanning organizations

vet scan --github-org https://github.com/safedep

Note: vet will block and wait if it encounters Github secondary rate limit.

Scanning Package URL

vet scan --purl pkg:/gem/[email protected]

Available Parsers

  • List supported package manifest parsers including experimental modules
vet scan parsers --experimental

Policy as Code

vet uses Common Expressions Language (CEL) as the policy language. Policies can be defined to build guardrails preventing introduction of insecure components.

  • Run vet and fail if a critical or high vulnerability was detected
vet scan -D /path/to/code \
    --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
    --filter-fail
  • Run vet and fail if a package with a specific license was detected
vet scan -D /path/to/code \
    --filter 'licenses.exists(p, p == "GPL-2.0")' \
    --filter-fail
vet scan -D /path/to/code \
    --filter 'scorecard.scores.Maintained == 0' \
    --filter-fail

For more examples, refer to documentation

Query Mode

  • Run scan and dump internal data structures to a file for further querying
vet scan -D /path/to/code --json-dump-dir /path/to/dump
  • Filter results using query command
vet query --from /path/to/dump \
    --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)'
  • Generate report from dumped data
vet query --from /path/to/dump --report-json /path/to/report.json

Reporting

vet supports generating reports in multiple formats during scan or query execution.

Format Description
Markdown Human readable report for vulnerabilities, licenses, and more
CSV Export data to CSV format for manual slicing and dicing
JSON Machine readable JSON format following internal schema (maximum data)
SARIF Useful for integration with Github Code Scanning and other tools
Graph Dependency graph in DOT format for risk and package relationship visualization
Summary Default console report with summary of vulnerabilities, licenses, and more

CI/CD Integration

📦 GitHub Action

  • vet is available as a GitHub Action, refer to vet-action

🚀 GitLab CI

🛠️ Advanced Usage

📖 Documentation

vet docs

🎊 Community

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

SafeDep Discord

💻 Development

Refer to CONTRIBUTING.md

Support

SafeDep provides enterprise support for vet deployments. Check out SafeDep Cloud for large scale deployment and management of vet in your organization.

Star History

Star History Chart

🔖 References