Created and maintained by https://safedep.io with contributions from the community π
vet
is a tool for identifying risks in open source software supply chain. It
goes beyond just vulnerabilities and provides visibility on OSS package risks
due to it's license, popularity, security hygiene, and more. vet
is designed
with the goal of helping software development teams consume safe and trusted
OSS components through automated vetting in CI/CD.
- π₯ vet in action
- Getting Started
- Policy as Code
- Query Mode
- Reporting
- CI/CD Integration
- π οΈ Advanced Usage
- π Documentation
- π Community
- π» Development
- Support
- Star History
- π References
-
Download the binary file for your operating system / architecture from the Official GitHub Releases
-
You can also install
vet
using homebrew in MacOS and Linux
brew tap safedep/tap
brew install safedep/tap/vet
- Alternatively, build from source
Ensure $(go env GOPATH)/bin is in your $PATH
go install github.com/safedep/vet@latest
- Also available as a container image
docker run --rm -it ghcr.io/safedep/vet:latest version
Note: Container image is built for x86_64 Linux only. Use a pre-built binary or build from source for other platforms.
- Run
vet
to identify risks by scanning a directory
vet scan -D /path/to/repository
- Run
vet
to scan specific (supported) package manifests
vet scan -M /path/to/pom.xml
vet scan -M /path/to/requirements.txt
vet scan -M /path/to/package-lock.json
Note: --lockfiles
is generalized to -M
or --manifests
to support additional
types of package manifests or other artifacts in future.
- Scan a Java JAR file
vet scan -M /path/to/app.jar
Suitable for scanning bootable JARs with embedded dependencies
- Scan a directory with JAR files
vet scan -D /path/to/jars --type jar
- Scan an SBOM in CycloneDX format
vet scan -M /path/to/cyclonedx-sbom.json --type bom-cyclonedx
- Scan an SBOM in SPDX format
vet scan -M /path/to/spdx-sbom.json --type bom-spdx
Note: --type
is a generalized version of --lockfile-as
to support additional
artifact types in future.
Note: SBOM scanning feature is currently in experimental stage
- Setup github access token to scan private repo
vet connect github
Alternatively, set GITHUB_TOKEN
environment variable with Github PAT
- To scan remote Github repositories, including private ones
vet scan --github https://github.com/safedep/vet
Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.
You must setup the required access for scanning private repositories before scanning organizations
vet scan --github-org https://github.com/safedep
Note:
vet
will block and wait if it encounters Github secondary rate limit.
- To scan a purl
vet scan --purl pkg:/gem/nokogiri@1.10.4
- List supported package manifest parsers including experimental modules
vet scan parsers --experimental
vet
uses Common Expressions Language
(CEL) as the policy language. Policies can be defined to build guardrails
preventing introduction of insecure components.
- Run
vet
and fail if a critical or high vulnerability was detected
vet scan -D /path/to/code \
--filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
--filter-fail
- Run
vet
and fail if a package with a specific license was detected
vet scan -D /path/to/code \
--filter 'licenses.exists(p, p == "GPL-2.0")' \
--filter-fail
- Run
vet
and fail based on OpenSSF Scorecard attributes
vet scan -D /path/to/code \
--filter 'scorecard.scores.Maintained == 0' \
--filter-fail
For more examples, refer to documentation
- Run scan and dump internal data structures to a file for further querying
vet scan -D /path/to/code --json-dump-dir /path/to/dump
- Filter results using
query
command
vet query --from /path/to/dump \
--filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)'
- Generate report from dumped data
vet query --from /path/to/dump --report-json /path/to/report.json
vet
supports generating reports in multiple formats during scan
or query
execution.
Format | Description |
---|---|
Markdown | Human readable report for vulnerabilities, licenses, and more |
CSV | Export data to CSV format for manual slicing and dicing |
JSON | Machine readable JSON format following internal schema (maximum data) |
SARIF | Useful for integration with Github Code Scanning and other tools |
Graph | Dependency graph in DOT format for risk and package relationship visualization |
Summary | Default console report with summary of vulnerabilities, licenses, and more |
vet
is available as a GitHub Action, refer to vet-action
vet
can be integrated with GitLab CI, refer to vet-gitlab-ci
- Refer to https://safedep.io/docs for the detailed documentation
First of all, thank you so much for showing interest in vet
, we appreciate it β€οΈ
- Join the Discord server using the link - https://rebrand.ly/safedep-community
Refer to CONTRIBUTING.md
SafeDep provides enterprise support for vet
deployments. Check out SafeDep Cloud for large scale
deployment and management of vet
in your organization.