https://github.com/safedep/vet-action
GitHub Action for policy driven vetting of open source dependencies
https://github.com/safedep/vet-action
devsecops policy-as-code software-composition-analysis supply-chain-security
Last synced: 26 days ago
JSON representation
GitHub Action for policy driven vetting of open source dependencies
- Host: GitHub
- URL: https://github.com/safedep/vet-action
- Owner: safedep
- License: apache-2.0
- Created: 2023-12-27T16:27:02.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2025-10-01T11:52:23.000Z (5 months ago)
- Last Synced: 2025-10-01T13:24:08.257Z (5 months ago)
- Topics: devsecops, policy-as-code, software-composition-analysis, supply-chain-security
- Language: TypeScript
- Homepage: https://safedep.io
- Size: 2.22 MB
- Stars: 11
- Watchers: 1
- Forks: 3
- Open Issues: 15
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# SafeDep GitHub Action
> Created and maintained by
> https://safedep.io with contributions
> from the community 🚀
GitHub Action for integrating [vet](https://github.com/safedep/vet) in your
workflow. Provides active protection against vulnerable, outdated, unpopular and
malicious OSS dependencies using policy as code based guardrails.
## Usage
> Follow [setup instructions](#setup-instructions) for step by step guide on how
> to integrate `vet` in your GitHub repository with customizable policies
### Quick Start
> Follow _quickstart_ if you want to integrate `vet` as a step in your existing
> GitHub actions workflow. Look at [Setup Instructions](#setup-instructions) for
> step by step guide on how to integrate `vet` in your GitHub repository
TLDR; add this GitHub Action to vet your changed dependencies during pull
request.
```yaml
- name: Run vet
id: vet
uses: safedep/vet-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Enable comments proxy server for public repositories
# where GitHub Action jobs are run from forked repositories
#enable-comments-proxy: true
```
**Note:** `vet-action` requires the following job or workflow permissions to be
able to add comments on the pull request:
```yaml
permissions:
contents: read
pull-requests: write
issues: write
```
The output of `vet-action` is a
[SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) report
that can be uploaded to GitHub Code Scanning
> **Note**: `upload-sarif` action requires GitHub Code Scanning to be enabled.
> This is available for public repositories and for private repositories with
> GitHub Advanced Security enabled.
```yaml
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.vet.outputs.report }}
category: vet
```
**Note:** Uploading SARIF report to GitHub Code Scanning requires the following
job or workflow permissions to upload the SARIF report:
```yaml
permissions:
security-events: write
```
### Setup Instructions
> Follow this instruction to integrate `vet` as a GitHub action in your GitHub
> repository
- Go to the root directory of your GitHub repository
- Create the workflow and policy directory
```bash
mkdir -p .github/workflows .github/vet
```
- Download the policy file into the policy directory
```bash
curl -o .github/vet/policy.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/policy.yml
```
- Download `vet` GitHub Action workflow
```bash
curl -o .github/workflows/vet-ci.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/vet-ci.yml
```
- Review the policy file in `.github/vet/policy.yml` and edit as required
- Push / PR your changes into the repository
## Cloud Mode
`vet-action` provides integration with
[SafeDep Cloud](https://docs.safedep.io/cloud). By leveraging SafeDep Cloud,
`vet` and `vet-action` provides additional services such as
[Malicious Package Analysis](https://docs.safedep.io/cloud/malware-analysis).
**Note:** SafeDep Cloud integration is disabled by default.
To use SafeDep Cloud integration, you need
- SafeDep Cloud Tenant Domain (e.g. `default-team.example-org.safedep.io`)
- SafeDep Cloud API Key (e.g. `sfd_01234567890abcdefghijk`)
Refer to [SafeDep Cloud Quickstart](https://docs.safedep.io/cloud/quickstart)
guide on getting the required information for activating cloud integration.
## Configuration
`vet-action` accepts following additional configuration for customizing how
`vet` is invoked during scan
| GitHub Action Input | Example Value | Notes |
| ----------------------- | ------------------------------------- | -------------------------------------------------------------------------------------- |
| `policy` | `policies/sample.yml` | Path to `vet` YAML policy file (filter suite) |
| `exception-file` | `config/exceptions.yml` | Path to `vet` exception YAML file |
| `trusted-registries` | `https://r1.org, https://r2.org` | `,` separated string of registry base URLs |
| `timeout` | `300` | Max time in seconds to wait for external services |
| `cloud` | `true` | Enable integration with SafeDep Cloud |
| `cloud-tenant` | `default-team.example-org.safedep.io` | SafeDep Cloud Tenant Domain |
| `cloud-key` | `sfd_xxxx` | SafeDep Cloud API Key |
| `upload-sarif` | `true` | Upload SARIF report as artifact on push |
| `add-step-summary` | `true` | Add job step summary report on push |
| `enable-comments-proxy` | `false` | Enable Comments Proxy Server to create comments on GitHub PRs |
| `paranoid` | `false` | Enable paranoid mode to fail PR workflow on any risk |
| `exclude` | `test/go.mod, test/package.json` | Comma separated list of _"repository relative path patterns"_ to exclude from the scan |
- Refer to [vet policy as code](https://docs.safedep.io/advanced/policy-as-code)
for details on `policy` format
- Refer to [vet exceptions](https://docs.safedep.io/advanced/exceptions) for
details on `exception-file` format
### Comments Proxy Server
The `enable-comments-proxy` configuration can be used to enable Comments Proxy
Server to create comments on GitHub PRs. This is required when the action is
invoked in a PR from a forked repository due to limitation on `$GITHUB_TOKEN`.
See [ghcp](https://github.com/safedep/ghcp) for more details.
**SECURITY NOTE**: Comments proxy uses `$GITHUB_TOKEN` for authentication to
verify the request is from a GitHub Actions workflow associated with the
repository. When enable, `vet-action` will call Comments Proxy Server with
`$GITHUB_TOKEN` available in the workflow. This will be used _ONLY_ when
`vet-action` fails to call GitHub API due to the limitation on `$GITHUB_TOKEN`.
### Trusted Registries
The `trusted-registries` configuration can be used to add specific registry URLs
into allow list while checking for lockfile inconsistencies. Example:
```yaml
trusted-registries: |
https://registry.npmjs.org/strip-ansi
https://registry.npmjs.org/string-width
https://private.self-hosted.local
```
## Support
- Raise issues related to GitHub Action at
[https://github.com/safedep/vet-action/issues](https://github.com/safedep/vet-action/issues)
- Raise issues related to `vet` tool at
[https://github.com/safedep/vet/issues](https://github.com/safedep/vet/issues)
## Development
Refer to [development documentation](docs/development.md)