π Refer to https://safedep.io/docs for the documentation π
Automate Open Source Package Vetting in CI/CD
vet
is a tool for identifying risks in open source software supply chain. It
goes beyond just vulnerabilities and provides visibility on OSS package risks
due to it's license, popularity, security hygiene, and more. vet
is designed
with the goal of enabling trusted OSS package consumption by integrating with
CI/CD and policy as code
as guardrails.
π₯ vet in action
Getting Started
brew tap safedep/tap
brew install safedep/tap/vet
- Alternatively, build from source
Ensure $(go env GOPATH)/bin is in your $PATH
go install github.com/safedep/vet@latest
- Also available as a container image
docker run --rm -it ghcr.io/safedep/vet:latest version
Note: Container image is built for x86_64 Linux only. Use a
pre-built binary or
build from source for other platforms.
Running Scan
- Run
vet
to identify risks by scanning a directory
vet scan -D /path/to/repository
- Run
vet
to scan specific (supported) package manifests
vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json
Scanning SBOM
vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx
- Scan an SBOM in SPDX format
vet scan --lockfiles /path/to/spdx-sbom.json --lockfile-as bom-spdx
Note: SBOM scanning feature is currently in experimental stage
Scanning Github Repositories
- Setup github access token to scan private repo
vet connect github
Alternatively, set GITHUB_TOKEN
environment variable with Github PAT
- To scan remote Github repositories, including private ones
vet scan --github https://github.com/safedep/vet
Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.
Scanning Github Organization
You must setup the required access for scanning private repositories
before scanning organizations
vet scan --github-org https://github.com/safedep
Note: vet
will block and wait if it encounters Github secondary rate limit.
Scanning Package URL
vet scan --purl pkg:/gem/[email protected]
Available Parsers
- List supported package manifest parsers including experimental modules
vet scan parsers --experimental
Policy as Code
vet
uses Common Expressions Language
(CEL) as the policy language. Policies can be defined to build guardrails
preventing introduction of insecure components.
- Run
vet
and fail if a critical or high vulnerability was detected
vet scan -D /path/to/code \
--filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
--filter-fail
- Run
vet
and fail if a package with a specific license was detected
vet scan -D /path/to/code \
--filter 'licenses.exists(p, p == "GPL-2.0")' \
--filter-fail
vet scan -D /path/to/code \
--filter 'scorecard.scores.Maintained == 0' \
--filter-fail
For more examples, refer to documentation
CI/CD Integration
π¦ GitHub Action
vet
is available as a GitHub Action, refer to vet-action
π GitLab CI
π οΈ Advanced Usage
π Documentation
First of all, thank you so much for showing interest in vet
, we appreciate it β€οΈ
π» Development
Refer to CONTRIBUTING.md
Star History
π References