Enables scanning of container images for vulnerabilities and malicious packages, supporting both remote registry images and local image tarballs.
Integrates with GitHub repositories for scanning dependencies and enforcing security policies. Provides OpenSSF Scorecard integration for repository security assessment.
Provides security scanning for GitHub Actions workflows with zero-config security guardrails against vulnerabilities and malicious packages in CI/CD pipelines.
Offers enterprise-grade scanning through GitLab CI components to detect security vulnerabilities and enforce policy compliance in GitLab CI/CD pipelines.
Scans npm packages for vulnerabilities and malicious code, detecting security issues in JavaScript/Node.js dependencies.
Analyzes PHP dependencies for vulnerabilities and malicious code within PHP projects.
Analyzes Python packages from PyPI for vulnerabilities and malicious code, supporting requirements.txt and wheel files.
Scans Ruby packages and Gemfile.lock files for vulnerabilities and security issues in Ruby dependencies.
Provides vulnerability and malicious package detection for Rust crates and dependencies.
🎯 Why vet?
70-90% of modern software constitute code from open sources — How do we know if it's safe?
vet is an open source software supply chain security tool built for developers and security engineers who need:
✅ Next-gen Software Composition Analysis — Vulnerability and malicious package detection
✅ Policy as Code — Express opinionated security policies using CEL
✅ Real-time malicious package detection — Powered by SafeDep Cloud active scanning
✅ Multi-ecosystem support — npm, PyPI, Maven, Go, Docker, GitHub Actions, and more
✅ CI/CD native — Built for DevSecOps workflows with support for GitHub Actions, GitLab CI, and more
✅ MCP Server — Run vet
as a MCP server to vet open source packages from AI suggested code
⚡ Quick Start
Install in seconds:
or download a pre-built binary
Scan your project:
🔒 Key Features
🕵️ Code Analysis
Unlike dependency scanners that flood you with noise, vet
analyzes your actual code usage to prioritize real risks. See dependency usage evidence for more details.
🛡️ Malicious Package Detection
Integrated with SafeDep Cloud for real-time protection against malicious packages in the wild. Free for open source projects. Fallback to Query Mode when API key is not provided. Read more about malicious package scanning.
📋 Policy as Code
Define security policies using CEL expressions to enforce context specific security requirements.
🎯 Multi-Format Support
- Package Managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
- Container Images: Docker, OCI
- SBOMs: CycloneDX, SPDX
- Binary Artifacts: JAR files, Python wheels
- Source Code: Direct repository scanning
🔥 See vet in Action
🚀 Production Ready Integrations
📦 GitHub Actions
Zero config security guardrails against vulnerabilities and malicious packages in your CI/CD pipeline with your own opinionated policies:
See more in vet-action documentation.
🔧 GitLab CI
Enterprise grade scanning with vet CI Component:
🐳 Container Integration
Run vet
anywhere, even your internal developer platform or custom CI/CD environment using our container image.
📚 Table of Contents
- 🎯 Why vet?
- ⚡ Quick Start
- 🔒 Key Features
- 🔥 See vet in Action
- 🚀 Production Ready Integrations
- 📚 Table of Contents
- 📦 Installation Options
- 🎮 Advanced Usage
- 📊 Reporting
- 🛡️ Malicious Package Detection
- 📊 Privacy and Telemetry
- 🎊 Community & Support
📦 Installation Options
🍺 Homebrew (Recommended)
📥 Direct Download
See releases for the latest version.
🐹 Go Install
🐳 Container Image
⚙️ Verify Installation
🎮 Advanced Usage
🔍 Scanning Options
📁 Directory Scanning
📄 Manifest Files
🐙 GitHub Integration
📦 Artifact Scanning
🎯 Policy Enforcement Examples
🔧 SBOM Support
📊 Query Mode & Data Persistence
For large codebases and repeated analysis:
📊 Reporting
vet generate reports that are tailored for different stakeholders:
📋 Report Formats
🎯 Report Examples
🤖 MCP Server
vet can be used as an MCP server to vet open source packages from AI suggested code.
For more details, see vet MCP Server documentation.
🛡️ Malicious Package Detection
Malicious package detection through active scanning and code analysis powered by
SafeDep Cloud. vet
requires an API
key for active scanning of unknown packages. When API key is not provided, vet
will
fallback to Query Mode which detects known malicious packages from SafeDep
and OSV databases.
- Grab a free API key from SafeDep Platform App or use
vet cloud quickstart
- API access is free forever for open source projects
- No proprietary code is collected for malicious package detection
- Only open source package scanning from public repositories is supported
🚀 Quick Setup
Malicious package detection requires an API key for SafeDep Cloud.
Example malicious packages detected and reported by SafeDep Cloud malicious package detection:
- MAL-2025-3541: express-cookie-parser
- MAL-2025-4339: eslint-config-airbnb-compat
- MAL-2025-4029: ts-runtime-compat-check
- MAL-2025-2227: nyc-config
🎯 Advanced Malicious Package Analysis
🔍 Scan packages with malicious package detection enabled
🎭 Specialized Scans
🔒 Security Features
- ✅ Real-time analysis of packages against known malware databases
- ✅ Behavioral analysis using static and dynamic analysis
- ✅ Zero day protection through active code scanning
- ✅ Human in the loop for triaging and investigation of high impact findings
- ✅ Real time analysis with public analysis log
📊 Privacy and Telemetry
vet
collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.
🎊 Community & Support
🌟 Join the Community
💡 Get Help & Share Ideas
- 🚀 Interactive Tutorial - Learn vet hands-on
- 📚 Complete Documentation - Comprehensive guides
- 💬 Discord Community - Real-time support
- 🐛 Issue Tracker - Bug reports & feature requests
- 🤝 Contributing Guide - Join the development
⭐ Star History
🙏 Built With Open Source
vet stands on the shoulders of giants:
OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft
Created with ❤️ by SafeDep and the open source community
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
vet-mcp
Related MCP Servers
- PythonApache 2.0
- TypeScriptMIT License
- PythonMIT License
- RustBSD Zero Clause License