SafeDep VET
🛡️ Real-time malicious package detection & software supply chain security
🎯 Why vet?
70-90% of modern software constitute code from open sources — How do we know if it's safe?
vet is an open source software supply chain security tool built for developers and security engineers who need:
✅ Real-time malicious package detection — Active scanning and analysis of unknown packages
✅ Modern SCA with actual usage analysis — Prioritize real risks over vulnerability noise
✅ Policy as Code — Express security requirements using CEL expressions
Hosted SaaS version available at SafeDep Cloud. Get started with GitHub App and other integrations.
⚡ Quick Start
Install in seconds:
# macOS & Linux
brew install safedep/tap/vet
or download a pre-built binary
Get started immediately:
# Scan for malware in your dependencies
vet scan -D . --malware-query
# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
# Get API key for advanced malware detection
vet cloud quickstart
📦 Architecture
graph TB
subgraph "OSS Ecosystem"
R1[npm Registry]
R2[PyPI Registry]
R3[Maven Central]
R4[Other Registries]
end
subgraph "SafeDep Cloud"
M[Continuous Monitoring]
A[Real-time Code Analysis<br/>Malware Detection]
T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard]
end
subgraph "vet CLI"
S[Source Repository<br/>Scanner]
P[CEL Policy Engine]
O[Reports & Actions<br/>SARIF/JSON/CSV]
end
R1 -->|New Packages| M
R2 -->|New Packages| M
R3 -->|New Packages| M
R4 -->|New Packages| M
M -->|Behavioral Analysis| A
A -->|Malware Signals| T
S -->|Query Package Info| T
T -->|Security Intelligence| S
S -->|Analysis Results| P
P -->|Policy Decisions| O
style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a
🔒 Key Features
🛡️ Malicious Package Detection
Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.
🕵️ Smart Vulnerability Analysis
Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks.
See dependency usage evidence for details.
📋 Policy as Code
Define security policies using CEL expressions to enforce context specific requirements:
# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail
# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail
# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail
🎯 Multi-Ecosystem Support
Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
Container images: Docker, OCI
SBOM formats: CycloneDX, SPDX
Source repositories: GitHub, GitLab
🛡️ Malicious Package Detection
Real-time protection against malicious packages with active scanning and behavioral analysis.
🚀 Quick Setup
# One-time setup for advanced scanning
vet cloud quickstart
# Scan for malware with active scanning (requires API key)
vet scan -D . --malware
# Query known malicious packages (no API key needed)
vet scan -D . --malware-query
Example detections:
- MAL-2025-3541: express-cookie-parser
- MAL-2025-4339: eslint-config-airbnb-compat
- MAL-2025-4029: ts-runtime-compat-check
Key security features:
- ✅ Real-time analysis against known malware databases
- ✅ Behavioral analysis using static and dynamic analysis
- ✅ Zero-day protection through active code scanning
- ✅ Human-in-the-loop triaging for high-impact findings
- ✅ Public analysis log for transparency
🎯 Advanced Usage
# Specialized scans
vet scan --vsx --malware # VS Code extensions
vet scan -D .github/workflows --malware # GitHub Actions
vet scan --image nats:2.10 --malware # Container images
# Analyze specific packages
vet inspect malware --purl pkg:npm/nyc-config@10.0.0
🚀 Production Ready Integrations
📦 GitHub Actions
Zero-config security guardrails in CI/CD:
- uses: safedep/vet-action@v1
with:
policy: ".github/vet/policy.yml"
See vet-action documentation.
🔧 GitLab CI
Enterprise scanning with vet CI Component:
include:
- component: gitlab.com/safedep/ci-components/vet/scan@main
🐳 Container Integration
Run vet anywhere using our container image:
docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware
📦 Installation
🍺 Homebrew (Recommended)
brew tap safedep/tap
brew install safedep/tap/vet
📥 Direct Download
See releases for pre-built binaries.
🐹 Go Install
go install github.com/safedep/vet@latest
🐳 Container Image
# Quick test
docker run --rm ghcr.io/safedep/vet:latest version
# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace
⚙️ Verify Installation
vet version
# Should display version and build information
📚 Advanced Features
Learn more in our comprehensive documentation:
- MCP Server - Run vet as an MCP server for AI-assisted code analysis
- AI Agent Mode - Run vet as an AI agent
- Reporting - SARIF, JSON, CSV, HTML, Markdown formats
- SBOM Support - CycloneDX, SPDX import/export
- Query Mode - Scan once, analyze multiple times
- GitHub Integration - Repository and organization scanning
📊 Privacy
vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.
# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true
🎊 Community & Support
🌟 Join the Community
💡 Get Help & Share Ideas
- 🚀 Interactive Tutorial - Learn vet hands-on
- 📚 Complete Documentation - Comprehensive guides
- 💬 Discord Community - Real-time support
- 🐛 Issue Tracker - Bug reports & feature requests
- 🤝 Contributing Guide - Join the development
⭐ Star History
🙏 Built With Open Source
vet stands on the shoulders of giants:
OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft
⚡ Secure your supply chain today. Star the repo ⭐ and get started!
Created with ❤️ by SafeDep and the open source community
