Which integrations are available for this server?

Enables scanning of container images for vulnerabilities and malicious packages, supporting both remote registry images and local image tarballs. Integrates with GitHub repositories for scanning dependencies and enforcing security policies. Provides OpenSSF Scorecard integration for repository security assessment. Provides security scanning for GitHub Actions workflows with zero-config security guardrails against vulnerabilities and malicious packages in CI/CD pipelines. Offers enterprise-grade scanning through GitLab CI components to detect security vulnerabilities and enforce policy compliance in GitLab CI/CD pipelines. Scans npm packages for vulnerabilities and malicious code, detecting security issues in JavaScript/Node.js dependencies. Analyzes PHP dependencies for vulnerabilities and malicious code within PHP projects. Analyzes Python packages from PyPI for vulnerabilities and malicious code, supporting requirements.txt and wheel files. Scans Ruby packages and Gemfile.lock files for vulnerabilities and security issues in Ruby dependencies. Provides vulnerability and malicious package detection for Rust crates and dependencies.

How do I use vet-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@vet-mcp scan my project for malicious packages" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

vet-mcp by safedep

Go Report Card License Release OpenSSF Scorecard CodeQL

Ask DeepWiki

🎯 Why vet?

70-90% of modern software constitute code from open sources — How do we know if it's safe?

vet is an open source software supply chain security tool built for developers and security engineers who need:

✅ Real-time malicious package detection — Active scanning and analysis of unknown packages
✅ Modern SCA with actual usage analysis — Prioritize real risks over vulnerability noise
✅ Policy as Code — Express security requirements using CEL expressions

Hosted SaaS version available at SafeDep Cloud. Get started with GitHub App and other integrations.

Related MCP server: vedit-mcp

⚡ Quick Start

Install in seconds:

# macOS & Linux brew install safedep/tap/vet

or download a pre-built binary

Get started immediately:

# Scan for malware in your dependencies vet scan -D . --malware-query # Fail CI on critical vulnerabilities vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail # Get API key for advanced malware detection vet cloud quickstart

📦 Architecture

graph TB subgraph "OSS Ecosystem" R1[npm Registry] R2[PyPI Registry] R3[Maven Central] R4[Other Registries] end subgraph "SafeDep Cloud" M[Continuous Monitoring] A[Real-time Code Analysis<br/>Malware Detection] T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard] end subgraph "vet CLI" S[Source Repository<br/>Scanner] P[CEL Policy Engine] O[Reports & Actions<br/>SARIF/JSON/CSV] end R1 -->|New Packages| M R2 -->|New Packages| M R3 -->|New Packages| M R4 -->|New Packages| M M -->|Behavioral Analysis| A A -->|Malware Signals| T S -->|Query Package Info| T T -->|Security Intelligence| S S -->|Analysis Results| P P -->|Policy Decisions| O style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a style S fill:#90C695,stroke:#6B9870,color:#1a1a1a style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a

🔒 Key Features

🛡️ Malicious Package Detection

Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.

🕵️ Smart Vulnerability Analysis

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for details.

📋 Policy as Code

Define security policies using CEL expressions to enforce context specific requirements:

# Block packages with critical CVEs vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail # Enforce license compliance vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail # Require minimum OpenSSF Scorecard scores vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail

🎯 Multi-Ecosystem Support

Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
Container images: Docker, OCI
SBOM formats: CycloneDX, SPDX
Source repositories: GitHub, GitLab

🛡️ Malicious Package Detection

Real-time protection against malicious packages with active scanning and behavioral analysis.

🚀 Quick Setup

# One-time setup for advanced scanning vet cloud quickstart # Scan for malware with active scanning (requires API key) vet scan -D . --malware # Query known malicious packages (no API key needed) vet scan -D . --malware-query

Example detections:

Key security features:

✅ Real-time analysis against known malware databases
✅ Behavioral analysis using static and dynamic analysis
✅ Zero-day protection through active code scanning
✅ Human-in-the-loop triaging for high-impact findings
✅ Public analysis log for transparency

🎯 Advanced Usage

# Specialized scans vet scan --vsx --malware # VS Code extensions vet scan -D .github/workflows --malware # GitHub Actions vet scan --image nats:2.10 --malware # Container images # Analyze specific packages vet inspect malware --purl pkg:npm/nyc-config@10.0.0

🚀 Production Ready Integrations

📦 GitHub Actions

Zero-config security guardrails in CI/CD:

- uses: safedep/vet-action@v1 with: policy: ".github/vet/policy.yml"

See vet-action documentation.

🔧 GitLab CI

Enterprise scanning with vet CI Component:

include: - component: gitlab.com/safedep/ci-components/vet/scan@main

🐳 Container Integration

Run vet anywhere using our container image:

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware

📦 Installation

🍺 Homebrew (Recommended)

brew tap safedep/tap brew install safedep/tap/vet

📥 Direct Download

See releases for pre-built binaries.

🐹 Go Install

go install github.com/safedep/vet@latest

🐳 Container Image

# Quick test docker run --rm ghcr.io/safedep/vet:latest version # Scan local directory docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

⚙️ Verify Installation

vet version # Should display version and build information

📚 Advanced Features

Learn more in our comprehensive documentation:

MCP Server - Run vet as an MCP server for AI-assisted code analysis
AI Agent Mode - Run vet as an AI agent
Reporting - SARIF, JSON, CSV, HTML, Markdown formats
SBOM Support - CycloneDX, SPDX import/export
Query Mode - Scan once, analyze multiple times
GitHub Integration - Repository and organization scanning

📊 Privacy

vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.

# Disable telemetry (optional) export VET_DISABLE_TELEMETRY=true

🎊 Community & Support

🌟 Join the Community

Discord GitHub Discussions Twitter Follow

🚀 Interactive Tutorial - Learn vet hands-on
📚 Complete Documentation - Comprehensive guides
💬 Discord Community - Real-time support
🐛 Issue Tracker - Bug reports & feature requests
🤝 Contributing Guide - Join the development

⭐ Star History

🙏 Built With Open Source

vet stands on the shoulders of giants:

OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft

Created with ❤️ by SafeDep and the open source community

vet-mcp

🎯 Why vet?

⚡ Quick Start

📦 Architecture