vet

command module

v1.5.11 Latest Latest Go to latest Published: May 17, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/safedep/vet

Links

Open Source Insights

README ¶

🙌 Refer to https://safedep.io/docs for the documentation 📖

License Release

Automate Open Source Package Vetting in CI/CD

vet is a tool for identifying risks in open source software supply chain. It goes beyond just vulnerabilities and provides visibility on OSS package risks due to it's license, popularity, security hygiene, and more. vet is designed with the goal of enabling trusted OSS package consumption by integrating with CI/CD and policy as code as guardrails.

🔥 vet in action
Getting Started
- Running Scan
Policy as Code
CI/CD Integration
- 📦 GitHub Action
- 🚀 GitLab CI
🛠️ Advanced Usage
📖 Documentation
🎊 Community
💻 Development
Star History
🔖 References

🔥 vet in action

vet Demo

Getting Started

Download the binary file for your operating system / architecture from the Official GitHub Releases
You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

Also available as a container image

docker run --rm -it ghcr.io/safedep/vet:latest version

Note: Container image is built for x86_64 Linux only. Use a pre-built binary or build from source for other platforms.

Running Scan

Run vet to identify risks by scanning a directory

vet scan -D /path/to/repository

vet scan directory

Run vet to scan specific (supported) package manifests

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Scanning SBOM

Scan an SBOM in CycloneDX format

vet scan --lockfiles /path/to/cyclonedx-sbom.json --lockfile-as bom-cyclonedx

Scan an SBOM in SPDX format

vet scan --lockfiles /path/to/spdx-sbom.json --lockfile-as bom-spdx

Note: SBOM scanning feature is currently in experimental stage

Scanning Github Repositories

Setup github access token to scan private repo

vet connect github

Alternatively, set GITHUB_TOKEN environment variable with Github PAT

To scan remote Github repositories, including private ones

vet scan --github https://github.com/safedep/vet

Note: You may need to enable Dependency Graph at repository or organization level for Github repository scanning to work.

Scanning Github Organization

You must setup the required access for scanning private repositories before scanning organizations

vet scan --github-org https://github.com/safedep

Note: vet will block and wait if it encounters Github secondary rate limit.

Scanning Package URL

To scan a purl

vet scan --purl pkg:/gem/[email protected]

Available Parsers

List supported package manifest parsers including experimental modules

vet scan parsers --experimental

Policy as Code

vet uses Common Expressions Language (CEL) as the policy language. Policies can be defined to build guardrails preventing introduction of insecure components.

Run vet and fail if a critical or high vulnerability was detected

vet scan -D /path/to/code \
    --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
    --filter-fail

Run vet and fail if a package with a specific license was detected

vet scan -D /path/to/code \
    --filter 'licenses.exists(p, p == "GPL-2.0")' \
    --filter-fail

Run vet and fail based on OpenSSF Scorecard attributes

vet scan -D /path/to/code \
    --filter 'scorecard.scores.Maintained == 0' \
    --filter-fail

For more examples, refer to documentation

CI/CD Integration

📦 GitHub Action

vet is available as a GitHub Action, refer to vet-action

🚀 GitLab CI

vet can be integrated with GitLab CI, refer to vet-gitlab-ci

🛠️ Advanced Usage

📖 Documentation

Refer to https://safedep.io/docs for the detailed documentation

🎊 Community

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

Join the Discord server using the link - https://rebrand.ly/safedep-community

💻 Development

Refer to CONTRIBUTING.md

Star History

🔖 References

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
gen
checks
cpv1 Package cpv1 provides primitives to interact with the openapi HTTP API.	Package cpv1 provides primitives to interact with the openapi HTTP API.
cpv1trials Package cpv1trials provides primitives to interact with the openapi HTTP API.	Package cpv1trials provides primitives to interact with the openapi HTTP API.
exceptionsapi
filterinput
filtersuite
insightapi Package insightapi provides primitives to interact with the openapi HTTP API.	Package insightapi provides primitives to interact with the openapi HTTP API.
jsonreport
models
syncv1 Package syncv1 provides primitives to interact with the openapi HTTP API.	Package syncv1 provides primitives to interact with the openapi HTTP API.
violations
internal
auth
connect
ui
pkg
analyzer
analyzer/filter
common/logger
common/purl
common/utils
common/utils/regex
common/utils/sbom
exceptions
models
parser
parser/custom/packagefile
parser/custom/py
parser/custom/sbom/spdx
policy
readers Package readers implements the various supported package manifest reader.	Package readers implements the various supported package manifest reader.
remediations
reporter
reporter/markdown
scanner
schemamapper
test

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL