Skip to main content
Glama

vet-mcp

by safedep


🎯 Why vet?

70-90% of modern software constitute code from open sources — How do we know if it's safe?

vet is an open source software supply chain security tool built for developers and security engineers who need:

Next-gen Software Composition Analysis — Vulnerability and malicious package detection
Policy as Code — Express opinionated security policies using CEL
Real-time malicious package detection — Powered by SafeDep Cloud active scanning
Multi-ecosystem support — npm, PyPI, Maven, Go, Docker, GitHub Actions, and more
CI/CD native — Built for DevSecOps workflows with support for GitHub Actions, GitLab CI, and more
MCP Server — Run vet as a MCP server to vet open source packages from AI suggested code

⚡ Quick Start

Install in seconds:

# macOS & Linux brew install safedep/tap/vet

or download a pre-built binary

Scan your project:

# Scan current directory vet scan -D . # Scan a single file vet scan -M package-lock.json # Fail CI on critical vulnerabilities vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail # Fail CI on OpenSSF Scorecard requirements vet scan -D . --filter 'scorecard.scores.Maintained < 5' --filter-fail # Fail CI if a package is published from a GitHub repository with less than 5 stars vet scan -D . --filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 5)' --filter-fail

🔒 Key Features

🕵️ Code Analysis

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for more details.

🛡️ Malicious Package Detection

Integrated with SafeDep Cloud for real-time protection against malicious packages in the wild. Free for open source projects. Fallback to Query Mode when API key is not provided. Read more about malicious package scanning.

📋 Policy as Code

Define security policies using CEL expressions to enforce context specific security requirements.

# Block packages with critical CVEs vet scan \ --filter 'vulns.critical.exists(p, true)' # Enforce license compliance vet scan \ --filter 'licenses.contains_license("GPL-3.0")' # Enforce OpenSSF Scorecard requirements # Require minimum OpenSSF Scorecard scores vet scan \ --filter 'scorecard.scores.Maintained < 5'

🎯 Multi-Format Support

  • Package Managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
  • Container Images: Docker, OCI
  • SBOMs: CycloneDX, SPDX
  • Binary Artifacts: JAR files, Python wheels
  • Source Code: Direct repository scanning

🔥 See vet in Action

🚀 Production Ready Integrations

📦 GitHub Actions

Zero config security guardrails against vulnerabilities and malicious packages in your CI/CD pipeline with your own opinionated policies:

- uses: safedep/vet-action@v1 with: policy: '.github/vet/policy.yml'

See more in vet-action documentation.

🔧 GitLab CI

Enterprise grade scanning with vet CI Component:

include: - component: gitlab.com/safedep/ci-components/vet@main

🐳 Container Integration

Run vet anywhere, even your internal developer platform or custom CI/CD environment using our container image.

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app

📚 Table of Contents

📦 Installation Options

brew tap safedep/tap brew install safedep/tap/vet

📥 Direct Download

See releases for the latest version.

🐹 Go Install

go install github.com/safedep/vet@latest

🐳 Container Image

# Quick test docker run --rm ghcr.io/safedep/vet:latest version # Scan local directory docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

⚙️ Verify Installation

vet version # Should display version and build information

🎮 Advanced Usage

🔍 Scanning Options

📁 Directory Scanning

# Scan current directory vet scan # Scan a given directory vet scan -D /path/to/project # Resolve and scan transitive dependencies vet scan -D . --transitive

📄 Manifest Files

# Package managers vet scan -M package-lock.json vet scan -M requirements.txt vet scan -M pom.xml vet scan -M go.mod vet scan -M Gemfile.lock

🐙 GitHub Integration

# Setup GitHub access vet connect github # Scan repositories vet scan --github https://github.com/user/repo # Organization scanning vet scan --github-org https://github.com/org

📦 Artifact Scanning

# Container images vet scan --image nginx:latest vet scan --image /path/to/image-saved-file.tar # Binary artifacts vet scan -M app.jar vet scan -M package.whl

🎯 Policy Enforcement Examples

# Security-first scanning vet scan -D . \ --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \ --filter-fail # License compliance vet scan -D . \ --filter 'licenses.contains_license("GPL-3.0")' \ --filter-fail # OpenSSF Scorecard requirements vet scan -D . \ --filter 'scorecard.scores.Maintained < 5' \ --filter-fail # Popularity-based filtering vet scan -D . \ --filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 50)' \ --filter-fail

🔧 SBOM Support

# Scan a CycloneDX SBOM vet scan -M sbom.json --type bom-cyclonedx # Scan a SPDX SBOM vet scan -M sbom.spdx.json --type bom-spdx # Generate SBOM output vet scan -D . --report-cdx=output.sbom.json # Package URL scanning vet scan --purl pkg:npm/lodash@4.17.21

📊 Query Mode & Data Persistence

For large codebases and repeated analysis:

# Scan once, query multiple times vet scan -D . --json-dump-dir ./scan-data # Query with different filters vet query --from ./scan-data \ --filter 'vulns.critical.exists(p, true)' # Generate focused reports vet query --from ./scan-data \ --filter 'licenses.contains_license("GPL")' \ --report-json license-violations.json

📊 Reporting

vet generate reports that are tailored for different stakeholders:

📋 Report Formats

# SARIF for GitHub Security tab vet scan -D . --report-sarif=report.sarif # JSON for custom tooling vet scan -D . --report-json=report.json # CSV for spreadsheet analysis vet scan -D . --report-csv=report.csv
# Markdown reports for PRs vet scan -D . --report-markdown=report.md # Console summary (default) vet scan -D . --report-summary
# SBOM generation vet scan -D . --report-cdx=sbom.json # Dependency graphs vet scan -D . --report-graph=dependencies.dot

🎯 Report Examples

# Multi-format output vet scan -D . \ --report-json=report.json \ --report-sarif=report.sarif \ --report-markdown=report.md # Focus on specific issues vet scan -D . \ --filter 'vulns.high.exists(p, true)' \ --report-json=report.json

🤖 MCP Server

vet can be used as an MCP server to vet open source packages from AI suggested code.

# Start the MCP server with SSE transport vet server mcp --server-type sse

For more details, see vet MCP Server documentation.

🛡️ Malicious Package Detection

Malicious package detection through active scanning and code analysis powered by SafeDep Cloud. vet requires an API key for active scanning of unknown packages. When API key is not provided, vet will fallback to Query Mode which detects known malicious packages from SafeDep and OSV databases.

  • Grab a free API key from SafeDep Platform App or use vet cloud quickstart
  • API access is free forever for open source projects
  • No proprietary code is collected for malicious package detection
  • Only open source package scanning from public repositories is supported

🚀 Quick Setup

Malicious package detection requires an API key for SafeDep Cloud.

# One-time setup vet cloud quickstart # Enable malware scanning vet scan -D . --malware # Query for known malicious packages without API key vet scan -D . --malware-query

Example malicious packages detected and reported by SafeDep Cloud malicious package detection:

🎯 Advanced Malicious Package Analysis

🔍 Scan packages with malicious package detection enabled

# Real-time scanning vet scan -D . --malware # Timeout adjustment vet scan -D . --malware \ --malware-analysis-timeout=300s # Batch analysis vet scan -D . --malware \ --json-dump-dir=./analysis

🎭 Specialized Scans

# VS Code extensions vet scan --vsx --malware # GitHub Actions vet scan -D .github/workflows --malware # Container Images vet scan --image nats:2.10 --malware # Scan a single package and fail if its malicious vet scan --purl pkg:/npm/nyc-config@10.0.0 --fail-fast # Active scanning of a single package (requires API key) vet inspect malware \ --purl pkg:npm/nyc-config@10.0.0

🔒 Security Features

  • Real-time analysis of packages against known malware databases
  • Behavioral analysis using static and dynamic analysis
  • Zero day protection through active code scanning
  • Human in the loop for triaging and investigation of high impact findings
  • Real time analysis with public analysis log

📊 Privacy and Telemetry

vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.

# Disable telemetry (optional) export VET_DISABLE_TELEMETRY=true

🎊 Community & Support

🌟 Join the Community

💡 Get Help & Share Ideas


Star History

🙏 Built With Open Source

vet stands on the shoulders of giants:

OSVOpenSSF ScorecardSLSAOSV-SCALIBRSyft


Created with ❤️ by SafeDep and the open source community

Related MCP Servers

View all related MCP servers

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/safedep/vet'

If you have feedback or need assistance with the MCP directory API, please join our Discord server