{"id":43401080,"url":"https://github.com/safedep/vet-action","last_synced_at":"2026-02-02T15:19:22.747Z","repository":{"id":214374239,"uuid":"736338531","full_name":"safedep/vet-action","owner":"safedep","description":"GitHub Action for policy driven vetting of open source dependencies","archived":false,"fork":false,"pushed_at":"2025-10-01T11:52:23.000Z","size":2329,"stargazers_count":11,"open_issues_count":15,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-01T13:24:08.257Z","etag":null,"topics":["devsecops","policy-as-code","software-composition-analysis","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://safedep.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/safedep.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-12-27T16:27:02.000Z","updated_at":"2025-09-14T18:58:45.000Z","dependencies_parsed_at":"2024-03-17T05:39:01.956Z","dependency_job_id":"767ad484-a739-406d-8b4d-a718e104bb9a","html_url":"https://github.com/safedep/vet-action","commit_stats":null,"previous_names":["safedep/vet-action"],"tags_count":11,"template":false,"template_full_name":"actions/typescript-action","purl":"pkg:github/safedep/vet-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/safedep","download_url":"https://codeload.github.com/safedep/vet-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/safedep%2Fvet-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29014002,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-02T14:58:54.169Z","status":"ssl_error","status_checked_at":"2026-02-02T14:58:51.285Z","response_time":58,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","policy-as-code","software-composition-analysis","supply-chain-security"],"created_at":"2026-02-02T15:19:21.998Z","updated_at":"2026-02-02T15:19:22.740Z","avatar_url":"https://github.com/safedep.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SafeDep GitHub Action\n\n\u003c!-- markdownlint-disable MD033 --\u003e\n\n\u003e Created and maintained by\n\u003e \u003cb\u003e\u003ca href=\"https://safedep.io/\"\u003ehttps://safedep.io\u003c/a\u003e\u003c/b\u003e with contributions\n\u003e from the community 🚀\n\n\u003c!-- markdownlint-enable MD033 --\u003e\n\n![CodeQL Analysis](https://github.com/safedep/vet-action/actions/workflows/codeql-analysis.yml/badge.svg)\n![Continue Integration](https://github.com/safedep/vet-action/actions/workflows/ci.yml/badge.svg)\n![vet OSS Components](https://github.com/safedep/vet-action/actions/workflows/vet.yml/badge.svg)\n\nGitHub Action for integrating [vet](https://github.com/safedep/vet) in your\nworkflow. Provides active protection against vulnerable, outdated, unpopular and\nmalicious OSS dependencies using policy as code based guardrails.\n\n![Example Screenshot](./docs/assets/vet-action-malysis-1.png)\n\n## Usage\n\n\u003e Follow [setup instructions](#setup-instructions) for step by step guide on how\n\u003e to integrate `vet` in your GitHub repository with customizable policies\n\n### Quick Start\n\n\u003e Follow _quickstart_ if you want to integrate `vet` as a step in your existing\n\u003e GitHub actions workflow. Look at [Setup Instructions](#setup-instructions) for\n\u003e step by step guide on how to integrate `vet` in your GitHub repository\n\nTLDR; add this GitHub Action to vet your changed dependencies during pull\nrequest.\n\n```yaml\n- name: Run vet\n  id: vet\n  uses: safedep/vet-action@v1\n  env:\n    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n    # Enable comments proxy server for public repositories\n    # where GitHub Action jobs are run from forked repositories\n    #enable-comments-proxy: true\n```\n\n**Note:** `vet-action` requires the following job or workflow permissions to be\nable to add comments on the pull request:\n\n```yaml\npermissions:\n  contents: read\n  pull-requests: write\n  issues: write\n```\n\nThe output of `vet-action` is a\n[SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) report\nthat can be uploaded to GitHub Code Scanning\n\n\u003e **Note**: `upload-sarif` action requires GitHub Code Scanning to be enabled.\n\u003e This is available for public repositories and for private repositories with\n\u003e GitHub Advanced Security enabled.\n\n```yaml\n- name: Upload SARIF\n  uses: github/codeql-action/upload-sarif@v3\n  with:\n    sarif_file: ${{ steps.vet.outputs.report }}\n    category: vet\n```\n\n**Note:** Uploading SARIF report to GitHub Code Scanning requires the following\njob or workflow permissions to upload the SARIF report:\n\n```yaml\npermissions:\n  security-events: write\n```\n\n### Setup Instructions\n\n\u003e Follow this instruction to integrate `vet` as a GitHub action in your GitHub\n\u003e repository\n\n- Go to the root directory of your GitHub repository\n- Create the workflow and policy directory\n\n```bash\nmkdir -p .github/workflows .github/vet\n```\n\n- Download the policy file into the policy directory\n\n```bash\ncurl -o .github/vet/policy.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/policy.yml\n```\n\n- Download `vet` GitHub Action workflow\n\n```bash\ncurl -o .github/workflows/vet-ci.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/vet-ci.yml\n```\n\n- Review the policy file in `.github/vet/policy.yml` and edit as required\n- Push / PR your changes into the repository\n\n## Cloud Mode\n\n\u003c!-- markdownlint-disable MD013 --\u003e\n\n`vet-action` provides integration with\n[SafeDep Cloud](https://docs.safedep.io/cloud). By leveraging SafeDep Cloud,\n`vet` and `vet-action` provides additional services such as\n[Malicious Package Analysis](https://docs.safedep.io/cloud/malware-analysis).\n\n**Note:** SafeDep Cloud integration is disabled by default.\n\n\u003c!-- markdownlint-enable MD013 --\u003e\n\nTo use SafeDep Cloud integration, you need\n\n- SafeDep Cloud Tenant Domain (e.g. `default-team.example-org.safedep.io`)\n- SafeDep Cloud API Key (e.g. `sfd_01234567890abcdefghijk`)\n\nRefer to [SafeDep Cloud Quickstart](https://docs.safedep.io/cloud/quickstart)\nguide on getting the required information for activating cloud integration.\n\n## Configuration\n\n`vet-action` accepts following additional configuration for customizing how\n`vet` is invoked during scan\n\n\u003c!-- markdownlint-disable MD013 --\u003e\n\n| GitHub Action Input     | Example Value                         | Notes                                                                                  |\n| ----------------------- | ------------------------------------- | -------------------------------------------------------------------------------------- |\n| `policy`                | `policies/sample.yml`                 | Path to `vet` YAML policy file (filter suite)                                          |\n| `exception-file`        | `config/exceptions.yml`               | Path to `vet` exception YAML file                                                      |\n| `trusted-registries`    | `https://r1.org, https://r2.org`      | `,` separated string of registry base URLs                                             |\n| `timeout`               | `300`                                 | Max time in seconds to wait for external services                                      |\n| `cloud`                 | `true`                                | Enable integration with SafeDep Cloud                                                  |\n| `cloud-tenant`          | `default-team.example-org.safedep.io` | SafeDep Cloud Tenant Domain                                                            |\n| `cloud-key`             | `sfd_xxxx`                            | SafeDep Cloud API Key                                                                  |\n| `upload-sarif`          | `true`                                | Upload SARIF report as artifact on push                                                |\n| `add-step-summary`      | `true`                                | Add job step summary report on push                                                    |\n| `enable-comments-proxy` | `false`                               | Enable Comments Proxy Server to create comments on GitHub PRs                          |\n| `paranoid`              | `false`                               | Enable paranoid mode to fail PR workflow on any risk                                   |\n| `exclude`               | `test/go.mod, test/package.json`      | Comma separated list of _\"repository relative path patterns\"_ to exclude from the scan |\n\n- Refer to [vet policy as code](https://docs.safedep.io/advanced/policy-as-code)\n  for details on `policy` format\n- Refer to [vet exceptions](https://docs.safedep.io/advanced/exceptions) for\ndetails on `exception-file` format\n\u003c!-- markdownlint-enable MD013 --\u003e\n\n### Comments Proxy Server\n\nThe `enable-comments-proxy` configuration can be used to enable Comments Proxy\nServer to create comments on GitHub PRs. This is required when the action is\ninvoked in a PR from a forked repository due to limitation on `$GITHUB_TOKEN`.\nSee [ghcp](https://github.com/safedep/ghcp) for more details.\n\n**SECURITY NOTE**: Comments proxy uses `$GITHUB_TOKEN` for authentication to\nverify the request is from a GitHub Actions workflow associated with the\nrepository. When enable, `vet-action` will call Comments Proxy Server with\n`$GITHUB_TOKEN` available in the workflow. This will be used _ONLY_ when\n`vet-action` fails to call GitHub API due to the limitation on `$GITHUB_TOKEN`.\n\n### Trusted Registries\n\nThe `trusted-registries` configuration can be used to add specific registry URLs\ninto allow list while checking for lockfile inconsistencies. Example:\n\n```yaml\ntrusted-registries: |\n  https://registry.npmjs.org/strip-ansi\n  https://registry.npmjs.org/string-width\n  https://private.self-hosted.local\n```\n\n## Support\n\n- Raise issues related to GitHub Action at\n  [https://github.com/safedep/vet-action/issues](https://github.com/safedep/vet-action/issues)\n- Raise issues related to `vet` tool at\n  [https://github.com/safedep/vet/issues](https://github.com/safedep/vet/issues)\n\n## Development\n\nRefer to [development documentation](docs/development.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafedep%2Fvet-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsafedep%2Fvet-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsafedep%2Fvet-action/lists"}