Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/safedep/vet

Protect against malicious open source packages 🤖
https://github.com/safedep/vet

devsecops golang hacktoberfest npm policy-as-code pypi rubygems security software-composition-analysis static-analysis supply-chain-security

Last synced: 14 days ago
JSON representation

Protect against malicious open source packages 🤖

Awesome Lists containing this project

README 

          


  

    

      

      

      SafeDep VET - Real-time malicious package detection & software supply chain security

    

  






  


    Quick Start •

    Documentation •

    Community

  








[![Go Report Card](https://goreportcard.com/badge/github.com/safedep/vet)](https://goreportcard.com/report/github.com/safedep/vet)

[![License](https://img.shields.io/github/license/safedep/vet)](https://github.com/safedep/vet/blob/main/LICENSE)

[![Release](https://img.shields.io/github/v/release/safedep/vet)](https://github.com/safedep/vet/releases)

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/safedep/vet/badge)](https://api.securityscorecards.dev/projects/github.com/safedep/vet)

[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)

[![CodeQL](https://github.com/safedep/vet/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/safedep/vet/actions/workflows/codeql.yml)



[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/safedep/vet)






---



> [!NOTE]

> `vet` supports special mode for Agent Skills.

> Run `vet scan --agent-skill ` to scan an Agent Skill hosted in a GitHub repository.



## Why vet?



> **70-90% of modern software is open source code** — how do you know it's safe?



Traditional SCA tools drown you in CVE noise. **vet** takes a different approach:



- **Catch malware before it ships** — Zero-day detection through static and dynamic behavioral analysis, not just advisory lookups

- **Cut through vulnerability noise** — Analyzes your actual code usage to surface only the risks that matter

- **Secure AI-generated code** — [MCP server](./docs/mcp.md) integration protects against [slopsquatting](https://en.wikipedia.org/wiki/Slopsquatting) in tools like Cursor, VS Code, and Claude Code

- **Enforce policy as code** — Express security, license, and quality requirements as [CEL](https://cel.dev/) expressions that gate your CI/CD pipeline



Free for open source. Hosted SaaS available at [SafeDep](https://safedep.io).



## Quick Start



**Install in seconds:**



```bash

# macOS & Linux

brew install safedep/tap/vet



# Using npm

npm install @safedep/vet

```



or download a [pre-built binary](https://github.com/safedep/vet/releases)



**Get started immediately:**



```bash

# Scan for malware in your dependencies

vet scan -D . --malware-query



# Fail CI on critical vulnerabilities

vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail



# Get API key for advanced malware detection

vet cloud quickstart

```



## Architecture



`vet` follows a pipeline architecture: **readers** ingest package manifests from diverse sources (directories, repositories, container images, SBOMs), **enrichers** augment each package with vulnerability, malware, and scorecard data from SafeDep Cloud, the **CEL policy engine** evaluates security policies against enriched data, and **reporters** produce actionable output in formats like SARIF, JSON, and Markdown.



View architecture diagram



```mermaid

graph TB

    subgraph "OSS Ecosystem"

        R1[npm Registry]

        R2[PyPI Registry]

        R3[Maven Central]

        R4[Other Registries]

    end



    subgraph "SafeDep Cloud"

        M[Continuous Monitoring]

        A[Real-time Code Analysis
Malware Detection]

        T[Threat Intelligence DB
Vulnerabilities • Malware • Scorecard]

    end



    subgraph "vet CLI"

        S[Source Repository
Scanner]

        P[CEL Policy Engine]

        O[Reports & Actions
SARIF/JSON/CSV]

    end



    R1 -->|New Packages| M

    R2 -->|New Packages| M

    R3 -->|New Packages| M

    R4 -->|New Packages| M

    M -->|Behavioral Analysis| A

    A -->|Malware Signals| T



    S -->|Query Package Info| T

    T -->|Security Intelligence| S

    S -->|Analysis Results| P

    P -->|Policy Decisions| O



    style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a

    style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a

    style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a

    style S fill:#90C695,stroke:#6B9870,color:#1a1a1a

    style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a

    style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a

```



## Key Features



### **Malicious Package Detection**



Real-time protection against malicious packages powered by [SafeDep Cloud](https://docs.safedep.io/cloud/malware-analysis).

Free for open source projects. Detects zero-day malware through active code analysis.



### **Smart Vulnerability Analysis**



Unlike dependency scanners that flood you with noise, `vet` analyzes your **actual code usage** to prioritize real risks.

See [dependency usage evidence](https://docs.safedep.io/vet/guides/dependency-usage-identification) for details.



### **Policy as Code**



Define security policies using CEL expressions to enforce context specific requirements:



```bash

# Block packages with critical CVEs

vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail



# Enforce license compliance

vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail



# Require minimum OpenSSF Scorecard scores

vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail

```



### **Multi-Ecosystem Support**



Package managers: **npm**, **PyPI**, **Maven**, **Go**, **Ruby**, **Rust**, **PHP**

Container images: **Docker**, **OCI**

SBOM formats: **CycloneDX**, **SPDX**

Source repositories: **GitHub**, **GitLab**



## Malicious Package Detection



**Real-time protection against malicious packages** with active scanning and behavioral analysis.



### Quick Setup



```bash

# One-time setup for advanced scanning

vet cloud quickstart



# Scan for malware with active scanning (requires API key)

vet scan -D . --malware



# Query known malicious packages (no API key needed)

vet scan -D . --malware-query

```



**Example detections:**

- [MAL-2025-3541: express-cookie-parser](https://safedep.io/malicious-npm-package-express-cookie-parser/)

- [MAL-2025-4339: eslint-config-airbnb-compat](https://safedep.io/digging-into-dynamic-malware-analysis-signals/)

- [MAL-2025-4029: ts-runtime-compat-check](https://safedep.io/digging-into-dynamic-malware-analysis-signals/)



**Key security features:**

- Real-time analysis against known malware databases

- Behavioral analysis using static and dynamic analysis

- Zero-day protection through active code scanning

- Human-in-the-loop triaging for high-impact findings

- Public [analysis log](https://vetpkg.dev/mal) for transparency



### Advanced Usage



```bash

# Specialized scans

vet scan --vsx --malware                    # VS Code extensions

vet scan -D .github/workflows --malware     # GitHub Actions

vet scan --image nats:2.10 --malware        # Container images



# Analyze specific packages

vet inspect malware --purl pkg:npm/nyc-config@10.0.0

```



## Production Ready Integrations



### GitHub Actions



Zero-config security guardrails in CI/CD:



```yaml

- uses: safedep/vet-action@v1

  with:

    policy: ".github/vet/policy.yml"

```



See [vet-action](https://github.com/safedep/vet-action) documentation.



### GitLab CI



Enterprise scanning with [vet CI Component](https://docs.safedep.io/vet/guides/gitlab-dependency-scanning):



```yaml

include:

  - component: gitlab.com/safedep/ci-components/vet/scan@main

```



### Container Integration



Run `vet` anywhere using our container image:



```bash

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware

```



## Installation



### Homebrew (Recommended)



```bash

brew install safedep/tap/vet

```



### npm



```bash

npm install @safedep/vet

```



### Direct Download



See [releases](https://github.com/safedep/vet/releases) for pre-built binaries.



### Go Install



```bash

go install github.com/safedep/vet@latest

```



### Container Image



```bash

# Quick test

docker run --rm ghcr.io/safedep/vet:latest version



# Scan local directory

docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

```



### Verify Installation



```bash

vet version

# Should display version and build information

```



## Advanced Features



**Learn more in our comprehensive documentation:**



- **[MCP Server](./docs/mcp.md)** - Run vet as an MCP server for AI-assisted code analysis

- **[AI Agent Mode](./docs/agent.md)** - Run vet as an AI agent

- **[Reporting](./docs/reporting.md)** - SARIF, JSON, CSV, HTML, Markdown formats

- **[SBOM Support](https://docs.safedep.io/vet/guides/cyclonedx-sbom)** - CycloneDX, SPDX import/export

- **[Query Mode](https://docs.safedep.io/cloud/quickstart#query-your-data)** - Scan once, analyze multiple times

- **[GitHub Integration](https://docs.safedep.io/)** - Repository and organization scanning



## Privacy



`vet` collects anonymous usage telemetry to improve the product. **Your code and package information is never transmitted.**



```bash

# Disable telemetry (optional)

export VET_DISABLE_TELEMETRY=true

```



## Community & Support






### Join the Community



[![Discord](https://img.shields.io/discord/1090352019379851304?color=7289da&label=Discord&logo=discord&logoColor=white)](https://rebrand.ly/safedep-community)

[![GitHub Discussions](https://img.shields.io/badge/GitHub-Discussions-green?logo=github)](https://github.com/safedep/vet/discussions)

[![Twitter Follow](https://img.shields.io/twitter/follow/safedepio?style=social)](https://twitter.com/safedepio)






### Get Help & Share Ideas



- **[Interactive Tutorial](https://killercoda.com/safedep/scenario/101-intro)** - Learn vet hands-on

- **[Complete Documentation](https://docs.safedep.io/)** - Comprehensive guides

- **[Discord Community](https://rebrand.ly/safedep-community)** - Real-time support

- **[Issue Tracker](https://github.com/safedep/vet/issues)** - Bug reports & feature requests

- **[Contributing Guide](CONTRIBUTING.md)** - Join the development



---






### Star History



[![Star History Chart](https://api.star-history.com/svg?repos=safedep/vet&type=Date)](https://star-history.com/#safedep/vet&Date)



### Built With Open Source



vet stands on the shoulders of giants:



[OSV](https://osv.dev) • [OpenSSF Scorecard](https://securityscorecards.dev/) • [SLSA](https://slsa.dev/) • [OSV-SCALIBR](https://github.com/google/osv-scalibr) • [Syft](https://github.com/anchore/syft)



---



Secure your supply chain today. Star the repo and get started!



Created with love by [SafeDep](https://safedep.io) and the open source community