{"id":13606704,"url":"https://github.com/safedep/vet","last_synced_at":"2026-02-09T17:02:43.312Z","repository":{"id":65695759,"uuid":"583528771","full_name":"safedep/vet","owner":"safedep","description":"Protect against malicious open source packages 🤖","archived":false,"fork":false,"pushed_at":"2025-12-16T12:56:01.000Z","size":14328,"stargazers_count":918,"open_issues_count":91,"forks_count":80,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-12-20T03:03:03.036Z","etag":null,"topics":["devsecops","golang","hacktoberfest","npm","policy-as-code","pypi","rubygems","security","software-composition-analysis","static-analysis","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://safedep.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/safedep.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.txt","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-12-30T03:39:03.000Z","updated_at":"2025-12-19T11:33:26.000Z","dependencies_parsed_at":"2023-12-26T07:36:13.192Z","dependency_job_id":"da053e23-edb8-41e4-b4b1-3494a5332b93","html_url":"https://github.com/safedep/vet","commit_stats":null,"previous_names":[],"tags_count":80,"template":false,"template_full_name":null,"purl":"pkg:github/safedep/vet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/safedep","download_url":"https://codeload.github.com/safedep/vet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet/sbom","scorecard":{"id":452845,"data":{"date":"2025-08-19T06:27:15Z","repo":{"name":"github.com/safedep/vet","commit":"2d06114eb7975792016dbb4607cdd21ef73f525f"},"scorecard":{"version":"v4.13.1","commit":"49c0eed3a423f00c872b5c3c9f1bbca9e8aae799"},"score":7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'force pushes' disabled on branch 'main'","Info: 'allow deletion' disabled on branch 'main'","Info: status check found to merge onto on branch 'main'","Warn: number of required reviewers is only 1 on branch 'main'","Warn: settings do not apply to administrators on branch 'main'","Warn: codeowner review is not required on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"20 out of 20 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: in_progress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"18 different organizations found -- score normalized to 10","details":["Info: contributors work for 3SLabs,EddieHubCommunity,OWASP,all-stackers,boringtools,code-bloodead,code-squads,community-snyk,indiabuild,k9exp,layer5io,meltred,null-open-security-community,olvyhq,safedep,safedep @nexb @litwizlabs-wizstudio-v1,tldrrun,ubercoolsec"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: tool 'Dependabot' is used: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no OSSFuzz integration found: Follow the steps in https://github.com/google/oss-fuzz to integrate fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no OneFuzz integration found: Follow the steps in https://github.com/microsoft/onefuzz to start fuzzing for your project.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no GoBuiltInFuzzer integration found: Follow the steps in https://go.dev/doc/fuzz/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no PythonAtherisFuzzer integration found: Follow the steps in https://github.com/google/atheris to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no CLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no CppLibFuzzer integration found: Follow the steps in https://llvm.org/docs/LibFuzzer.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no SwiftLibFuzzer integration found: Follow the steps in https://google.github.io/oss-fuzz/getting-started/new-project-guide/swift-lang/ to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no RustCargoFuzzer integration found: Follow the steps in https://rust-fuzz.github.io/book/cargo-fuzz.html to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no JavaJazzerFuzzer integration found: Follow the steps in https://github.com/CodeIntelligenceTesting/jazzer to enable fuzzing on your project.\nOver time, try to add fuzzing for more functionalities of your project. (Medium effort)","Warn: no ClusterFuzzLite integration found: Follow the steps in https://github.com/google/clusterfuzzlite to integrate fuzzing as part of CI.\nOver time, try to add fuzzing for more functionalities of your project. (High effort)","Warn: no HaskellPropertyBasedTesting integration found: Use one of the following frameworks to fuzz your project:\nQuickCheck: https://hackage.haskell.org/package/QuickCheck\nhedgehog: https://hedgehog.qa/\nvalidity: https://github.com/NorfairKing/validity\nsmallcheck: https://hackage.haskell.org/package/smallcheck\nhspec: https://hspec.github.io/\ntasty: https://hackage.haskell.org/package/tasty (High effort)","Warn: no TypeScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)","Warn: no JavaScriptPropertyBasedTesting integration found: Use fast-check: https://github.com/dubzzz/fast-check (High effort)"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: License file found in expected location: LICENSE:1","Info: FSF or OSI recognized license: LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 25 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub/GitLab publishing workflow used in run https://api.github.com/repos/safedep/vet/actions/runs/17040543699: .github/workflows/container.yml:20"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-npm.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/safedep/vet/publish-npm.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-npm.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/safedep/vet/publish-npm.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish-npm.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/safedep/vet/publish-npm.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/publish-npm.yml:96","Info:  22 out of  25 GitHub-owned GitHubAction dependencies pinned","Info:  14 out of  14 third-party GitHubAction dependencies pinned","Info:   2 out of   2 containerImage dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (30) are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#sast"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/safedep/.github/SECURITY.md:1","Info: Found linked content: github.com/safedep/.github/SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: On GitHub:\nEnable private vulnerability disclosure in your repository settings https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository\nAdd a section in your SECURITY.md indicating you have enabled private reporting, and tell them to follow the steps in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability to report vulnerabilities.\nOn GitLab:\nAdd a section in your SECURITY.md indicating the process to disclose vulnerabilities for your project.\nExamples: https://github.com/ossf/scorecard/blob/main/SECURITY.md, https://github.com/slsa-framework/slsa-github-generator/blob/main/SECURITY.md, https://github.com/sigstore/.github/blob/main/SECURITY.md. (Low effort)","Info: Found text in security policy: github.com/safedep/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"0 out of 5 artifacts are signed or have provenance","details":["Warn: release artifact v1.12.2 does not have provenance: https://api.github.com/repos/safedep/vet/releases/236236149","Warn: release artifact v1.12.2 not signed: https://api.github.com/repos/safedep/vet/releases/236236149","Warn: release artifact v1.12.1 does not have provenance: https://api.github.com/repos/safedep/vet/releases/234117335","Warn: release artifact v1.12.1 not signed: https://api.github.com/repos/safedep/vet/releases/234117335","Warn: release artifact v1.12.0 does not have provenance: https://api.github.com/repos/safedep/vet/releases/234115280","Warn: release artifact v1.12.0 not signed: https://api.github.com/repos/safedep/vet/releases/234115280","Warn: release artifact v1.11.3 does not have provenance: https://api.github.com/repos/safedep/vet/releases/223621111","Warn: release artifact v1.11.3 not signed: https://api.github.com/repos/safedep/vet/releases/223621111","Warn: release artifact v1.11.2 does not have provenance: https://api.github.com/repos/safedep/vet/releases/223572404","Warn: release artifact v1.11.2 not signed: https://api.github.com/repos/safedep/vet/releases/223572404"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:22","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: topLevel 'contents' permission set to 'read': .github/workflows/container.yml:13","Info: jobLevel 'contents' permission set to 'read': .github/workflows/container.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/golangci-lint.yml:7","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/golangci-lint.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/goreleaser.yml:11","Info: jobLevel 'actions' permission set to 'read': .github/workflows/goreleaser.yml:94","Warn: no topLevel permission defined: .github/workflows/publish-npm.yml:1: Visit https://app.stepsecurity.io/secureworkflow/safedep/vet/publish-npm.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Info: jobLevel 'contents' permission set to 'read': .github/workflows/publish-npm.yml:12","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/secret_scan.yml:8","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/vet-ci.yml:13: Visit https://app.stepsecurity.io/secureworkflow/safedep/vet/vet-ci.yml/main?enable=permissions\nTick the 'Restrict permissions for GITHUB_TOKEN'\nUntick other options\nNOTE: If you want to resolve multiple issues at once, you can visit https://app.stepsecurity.io/securerepo instead. (Low effort)","Info: topLevel 'contents' permission set to 'read': .github/workflows/vet-ci.yml:10","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":0,"reason":"19 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-m6xf-fq7q-8743 / PYSEC-2020-28","Warn: Project is vulnerable to: GHSA-q65m-pv3f-wr5r / PYSEC-2020-27","Warn: Project is vulnerable to: GHSA-vqhp-cxgc-6wmm / PYSEC-2020-340","Warn: Project is vulnerable to: GHSA-vv2x-vrpj-qqpq / PYSEC-2021-865","Warn: Project is vulnerable to: GHSA-652x-xj99-gmcc / PYSEC-2014-14","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: GHSA-cfj3-7x9c-4p3h / PYSEC-2014-13","Warn: Project is vulnerable to: GHSA-x84v-xcm2-53pg / PYSEC-2018-28","Warn: Project is vulnerable to: GHSA-j8r2-6x86-q33q / PYSEC-2023-74","Warn: Project is vulnerable to: GHSA-6v67-2wr5-gvf4","Warn: Project is vulnerable to: GHSA-pr98-23f8-jwxv","Warn: Project is vulnerable to: GHSA-vmq6-5m68-f53m","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: GHSA-g4mx-q9vg-27p4 / PYSEC-2023-212","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: GHSA-v845-jxx5-vc9f / PYSEC-2023-192","Warn: Project is vulnerable to: GHSA-m2qf-hxjv-5gpq / PYSEC-2023-62","Warn: Project is vulnerable to: GHSA-3hjh-jh2h-vrg6 / PYSEC-2024-118"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T08:39:16.742Z","repository_id":65695759,"created_at":"2025-08-19T08:39:16.742Z","updated_at":"2025-08-19T08:39:16.742Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28693428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T11:01:27.039Z","status":"ssl_error","status_checked_at":"2026-01-23T11:00:26.909Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","golang","hacktoberfest","npm","policy-as-code","pypi","rubygems","security","software-composition-analysis","static-analysis","supply-chain-security"],"created_at":"2024-08-01T19:01:11.668Z","updated_at":"2026-02-09T17:02:43.306Z","avatar_url":"https://github.com/safedep.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://safedep.io\"\u003e\n    \u003cpicture\u003e\n      \u003csource srcset=\"docs/assets/vet-banner-dark.svg\" media=\"(prefers-color-scheme: dark)\"\u003e\n      \u003csource srcset=\"docs/assets/vet-banner-light.svg\" media=\"(prefers-color-scheme: light)\"\u003e\n      \u003cimg src=\"docs/assets/vet-banner-light.svg\" alt=\"SafeDep VET - Real-time malicious package detection \u0026 software supply chain security\" width=\"100%\"\u003e\n    \u003c/picture\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n  \u003cp\u003e\n    \u003ca href=\"#quick-start\"\u003e\u003cstrong\u003eQuick Start\u003c/strong\u003e\u003c/a\u003e •\n    \u003ca href=\"https://docs.safedep.io/\"\u003e\u003cstrong\u003eDocumentation\u003c/strong\u003e\u003c/a\u003e •\n    \u003ca href=\"#community--support\"\u003e\u003cstrong\u003eCommunity\u003c/strong\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Go Report Card](https://goreportcard.com/badge/github.com/safedep/vet)](https://goreportcard.com/report/github.com/safedep/vet)\n[![License](https://img.shields.io/github/license/safedep/vet)](https://github.com/safedep/vet/blob/main/LICENSE)\n[![Release](https://img.shields.io/github/v/release/safedep/vet)](https://github.com/safedep/vet/releases)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/safedep/vet/badge)](https://api.securityscorecards.dev/projects/github.com/safedep/vet)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![CodeQL](https://github.com/safedep/vet/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/safedep/vet/actions/workflows/codeql.yml)\n\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/safedep/vet)\n\n\n\u003c/div\u003e\n\n---\n\n\u003e [!NOTE]\n\u003e `vet` supports special mode for Agent Skills.\n\u003e Run `vet scan --agent-skill \u003cowner/repo\u003e` to scan an Agent Skill hosted in a GitHub repository.\n\n\n## Why vet?\n\n\u003e **70-90% of modern software is open source code** — how do you know it's safe?\n\nTraditional SCA tools drown you in CVE noise. **vet** takes a different approach:\n\n- **Catch malware before it ships** — Zero-day detection through static and dynamic behavioral analysis, not just advisory lookups\n- **Cut through vulnerability noise** — Analyzes your actual code usage to surface only the risks that matter\n- **Secure AI-generated code** — [MCP server](./docs/mcp.md) integration protects against [slopsquatting](https://en.wikipedia.org/wiki/Slopsquatting) in tools like Cursor, VS Code, and Claude Code\n- **Enforce policy as code** — Express security, license, and quality requirements as [CEL](https://cel.dev/) expressions that gate your CI/CD pipeline\n\nFree for open source. Hosted SaaS available at [SafeDep](https://safedep.io).\n\n## Quick Start\n\n**Install in seconds:**\n\n```bash\n# macOS \u0026 Linux\nbrew install safedep/tap/vet\n\n# Using npm\nnpm install @safedep/vet\n```\n\nor download a [pre-built binary](https://github.com/safedep/vet/releases)\n\n**Get started immediately:**\n\n```bash\n# Scan for malware in your dependencies\nvet scan -D . --malware-query\n\n# Fail CI on critical vulnerabilities\nvet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail\n\n# Get API key for advanced malware detection\nvet cloud quickstart\n```\n\n## Architecture\n\n`vet` follows a pipeline architecture: **readers** ingest package manifests from diverse sources (directories, repositories, container images, SBOMs), **enrichers** augment each package with vulnerability, malware, and scorecard data from SafeDep Cloud, the **CEL policy engine** evaluates security policies against enriched data, and **reporters** produce actionable output in formats like SARIF, JSON, and Markdown.\n\n\u003cdetails\u003e\n\u003csummary\u003eView architecture diagram\u003c/summary\u003e\n\n```mermaid\ngraph TB\n    subgraph \"OSS Ecosystem\"\n        R1[npm Registry]\n        R2[PyPI Registry]\n        R3[Maven Central]\n        R4[Other Registries]\n    end\n\n    subgraph \"SafeDep Cloud\"\n        M[Continuous Monitoring]\n        A[Real-time Code Analysis\u003cbr/\u003eMalware Detection]\n        T[Threat Intelligence DB\u003cbr/\u003eVulnerabilities • Malware • Scorecard]\n    end\n\n    subgraph \"vet CLI\"\n        S[Source Repository\u003cbr/\u003eScanner]\n        P[CEL Policy Engine]\n        O[Reports \u0026 Actions\u003cbr/\u003eSARIF/JSON/CSV]\n    end\n\n    R1 --\u003e|New Packages| M\n    R2 --\u003e|New Packages| M\n    R3 --\u003e|New Packages| M\n    R4 --\u003e|New Packages| M\n    M --\u003e|Behavioral Analysis| A\n    A --\u003e|Malware Signals| T\n\n    S --\u003e|Query Package Info| T\n    T --\u003e|Security Intelligence| S\n    S --\u003e|Analysis Results| P\n    P --\u003e|Policy Decisions| O\n\n    style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a\n    style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a\n    style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a\n    style S fill:#90C695,stroke:#6B9870,color:#1a1a1a\n    style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a\n    style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a\n```\n\n\u003c/details\u003e\n\n## Key Features\n\n### **Malicious Package Detection**\n\nReal-time protection against malicious packages powered by [SafeDep Cloud](https://docs.safedep.io/cloud/malware-analysis).\nFree for open source projects. Detects zero-day malware through active code analysis.\n\n### **Smart Vulnerability Analysis**\n\nUnlike dependency scanners that flood you with noise, `vet` analyzes your **actual code usage** to prioritize real risks.\nSee [dependency usage evidence](https://docs.safedep.io/vet/guides/dependency-usage-identification) for details.\n\n### **Policy as Code**\n\nDefine security policies using CEL expressions to enforce context specific requirements:\n\n```bash\n# Block packages with critical CVEs\nvet scan --filter 'vulns.critical.exists(p, true)' --filter-fail\n\n# Enforce license compliance\nvet scan --filter 'licenses.contains_license(\"GPL-3.0\")' --filter-fail\n\n# Require minimum OpenSSF Scorecard scores\nvet scan --filter 'scorecard.scores.Maintained \u003c 5' --filter-fail\n```\n\n### **Multi-Ecosystem Support**\n\nPackage managers: **npm**, **PyPI**, **Maven**, **Go**, **Ruby**, **Rust**, **PHP**\nContainer images: **Docker**, **OCI**\nSBOM formats: **CycloneDX**, **SPDX**\nSource repositories: **GitHub**, **GitLab**\n\n## Malicious Package Detection\n\n**Real-time protection against malicious packages** with active scanning and behavioral analysis.\n\n### Quick Setup\n\n```bash\n# One-time setup for advanced scanning\nvet cloud quickstart\n\n# Scan for malware with active scanning (requires API key)\nvet scan -D . --malware\n\n# Query known malicious packages (no API key needed)\nvet scan -D . --malware-query\n```\n\n**Example detections:**\n- [MAL-2025-3541: express-cookie-parser](https://safedep.io/malicious-npm-package-express-cookie-parser/)\n- [MAL-2025-4339: eslint-config-airbnb-compat](https://safedep.io/digging-into-dynamic-malware-analysis-signals/)\n- [MAL-2025-4029: ts-runtime-compat-check](https://safedep.io/digging-into-dynamic-malware-analysis-signals/)\n\n**Key security features:**\n- Real-time analysis against known malware databases\n- Behavioral analysis using static and dynamic analysis\n- Zero-day protection through active code scanning\n- Human-in-the-loop triaging for high-impact findings\n- Public [analysis log](https://vetpkg.dev/mal) for transparency\n\n### Advanced Usage\n\n```bash\n# Specialized scans\nvet scan --vsx --malware                    # VS Code extensions\nvet scan -D .github/workflows --malware     # GitHub Actions\nvet scan --image nats:2.10 --malware        # Container images\n\n# Analyze specific packages\nvet inspect malware --purl pkg:npm/nyc-config@10.0.0\n```\n\n## Production Ready Integrations\n\n### GitHub Actions\n\nZero-config security guardrails in CI/CD:\n\n```yaml\n- uses: safedep/vet-action@v1\n  with:\n    policy: \".github/vet/policy.yml\"\n```\n\nSee [vet-action](https://github.com/safedep/vet-action) documentation.\n\n### GitLab CI\n\nEnterprise scanning with [vet CI Component](https://docs.safedep.io/vet/guides/gitlab-dependency-scanning):\n\n```yaml\ninclude:\n  - component: gitlab.com/safedep/ci-components/vet/scan@main\n```\n\n### Container Integration\n\nRun `vet` anywhere using our container image:\n\n```bash\ndocker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware\n```\n\n## Installation\n\n### Homebrew (Recommended)\n\n```bash\nbrew install safedep/tap/vet\n```\n\n### npm\n\n```bash\nnpm install @safedep/vet\n```\n\n### Direct Download\n\nSee [releases](https://github.com/safedep/vet/releases) for pre-built binaries.\n\n### Go Install\n\n```bash\ngo install github.com/safedep/vet@latest\n```\n\n### Container Image\n\n```bash\n# Quick test\ndocker run --rm ghcr.io/safedep/vet:latest version\n\n# Scan local directory\ndocker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace\n```\n\n### Verify Installation\n\n```bash\nvet version\n# Should display version and build information\n```\n\n## Advanced Features\n\n**Learn more in our comprehensive documentation:**\n\n- **[MCP Server](./docs/mcp.md)** - Run vet as an MCP server for AI-assisted code analysis\n- **[AI Agent Mode](./docs/agent.md)** - Run vet as an AI agent\n- **[Reporting](./docs/reporting.md)** - SARIF, JSON, CSV, HTML, Markdown formats\n- **[SBOM Support](https://docs.safedep.io/vet/guides/cyclonedx-sbom)** - CycloneDX, SPDX import/export\n- **[Query Mode](https://docs.safedep.io/cloud/quickstart#query-your-data)** - Scan once, analyze multiple times\n- **[GitHub Integration](https://docs.safedep.io/)** - Repository and organization scanning\n\n## Privacy\n\n`vet` collects anonymous usage telemetry to improve the product. **Your code and package information is never transmitted.**\n\n```bash\n# Disable telemetry (optional)\nexport VET_DISABLE_TELEMETRY=true\n```\n\n## Community \u0026 Support\n\n\u003cdiv align=\"center\"\u003e\n\n### Join the Community\n\n[![Discord](https://img.shields.io/discord/1090352019379851304?color=7289da\u0026label=Discord\u0026logo=discord\u0026logoColor=white)](https://rebrand.ly/safedep-community)\n[![GitHub Discussions](https://img.shields.io/badge/GitHub-Discussions-green?logo=github)](https://github.com/safedep/vet/discussions)\n[![Twitter Follow](https://img.shields.io/twitter/follow/safedepio?style=social)](https://twitter.com/safedepio)\n\n\u003c/div\u003e\n\n### Get Help \u0026 Share Ideas\n\n- **[Interactive Tutorial](https://killercoda.com/safedep/scenario/101-intro)** - Learn vet hands-on\n- **[Complete Documentation](https://docs.safedep.io/)** - Comprehensive guides\n- **[Discord Community](https://rebrand.ly/safedep-community)** - Real-time support\n- **[Issue Tracker](https://github.com/safedep/vet/issues)** - Bug reports \u0026 feature requests\n- **[Contributing Guide](CONTRIBUTING.md)** - Join the development\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n### Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=safedep/vet\u0026type=Date)](https://star-history.com/#safedep/vet\u0026Date)\n\n### Built With Open Source\n\nvet stands on the shoulders of giants:\n\n[OSV](https://osv.dev) • [OpenSSF Scorecard](https://securityscorecards.dev/) • [SLSA](https://slsa.dev/) • [OSV-SCALIBR](https://github.com/google/osv-scalibr) • [Syft](https://github.com/anchore/syft)\n\n---\n\n\u003cp\u003e\u003cstrong\u003eSecure your supply chain today. Star the repo and get started!\u003c/strong\u003e\u003c/p\u003e\n\nCreated with love by [SafeDep](https://safedep.io) and the open source community\n\n\u003c/div\u003e\n\n\u003cimg referrerpolicy=\"no-referrer-when-downgrade\" src=\"https://static.scarf.sh/a.png?x-pxid=304d1856-fcb3-4166-bfbf-b3e40d0f1e3b\" /\u003e\n","funding_links":[],"categories":["Security","Go","security","\u003ca name=\"security\"\u003e\u003c/a\u003eSecurity and encryption","Go Tools","MCP Servers","Software Composition Analysis (SCA)","安全"],"sub_categories":["HTTP Clients","Search and Analytic Databases","Security \u0026 Reverse Engineering","HTTP客户端"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafedep%2Fvet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsafedep%2Fvet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafedep%2Fvet/lists"}