<p align="center">
<a href="https://safedep.io">
<picture>
<source srcset="docs/assets/vet-banner-dark.svg" media="(prefers-color-scheme: dark)">
<source srcset="docs/assets/vet-banner-light.svg" media="(prefers-color-scheme: light)">
<img src="docs/assets/vet-banner-light.svg" alt="SafeDep VET - Real-time malicious package detection & software supply chain security" width="100%">
</picture>
</a>
</p>
<div align="center">
<p>
<a href="#quick-start"><strong>Quick Start</strong></a> •
<a href="https://docs.safedep.io/"><strong>Documentation</strong></a> •
<a href="#community--support"><strong>Community</strong></a>
</p>
</div>
<div align="center">
[](https://goreportcard.com/report/github.com/safedep/vet)
[](https://github.com/safedep/vet/blob/main/LICENSE)
[](https://github.com/safedep/vet/releases)
[](https://api.securityscorecards.dev/projects/github.com/safedep/vet)
[](https://slsa.dev)
[](https://github.com/safedep/vet/actions/workflows/codeql.yml)
[](https://deepwiki.com/safedep/vet)
</div>
---
> [!NOTE]
> `vet` supports special mode for Agent Skills.
> Run `vet scan --agent-skill <owner/repo>` to scan an Agent Skill hosted in a GitHub repository.
## Why vet?
> **70-90% of modern software is open source code** — how do you know it's safe?
Traditional SCA tools drown you in CVE noise. **vet** takes a different approach:
- **Shadow AI discovery** — Discover AI tool usage signals across various tools and configurations
- **Catch malware before it ships** — Zero-day detection through static and dynamic behavioral analysis (requires SafeDep Cloud access)
- **Cut through vulnerability noise** — Analyzes actual code usage to surface only the risks that matter
- **Enforce policy as code** — Express security, license, and quality requirements as [CEL](https://cel.dev/) expressions
- **CI/CD integration** — Zero-config security guardrails in CI/CD
Free for open source. Hosted SaaS available at [SafeDep](https://safedep.io).
## Quick Start
**Install in seconds:**
```bash
# macOS & Linux
brew install safedep/tap/vet
# Using npm
npm install @safedep/vet
```
or download a [pre-built binary](https://github.com/safedep/vet/releases)
**Get started immediately:**
```bash
# Scan for malware in your dependencies
vet scan -D . --malware-query
# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
# Get API key for advanced malware detection
vet cloud quickstart
```
## Architecture
`vet` follows a pipeline architecture: **readers** ingest package manifests from diverse sources (directories, repositories, container images, SBOMs), **enrichers** augment each package with vulnerability, malware, and scorecard data from SafeDep Cloud, the **CEL policy engine** evaluates security policies against enriched data, and **reporters** produce actionable output in formats like SARIF, JSON, and Markdown.
<details>
<summary>View architecture diagram</summary>
```mermaid
graph TB
subgraph "OSS Ecosystem"
R1[npm Registry]
R2[PyPI Registry]
R3[Maven Central]
R4[Other Registries]
end
subgraph "SafeDep Cloud"
M[Continuous Monitoring]
A[Real-time Code Analysis<br/>Malware Detection]
T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard]
end
subgraph "vet CLI"
S[Source Repository<br/>Scanner]
P[CEL Policy Engine]
O[Reports & Actions<br/>SARIF/JSON/CSV]
end
R1 -->|New Packages| M
R2 -->|New Packages| M
R3 -->|New Packages| M
R4 -->|New Packages| M
M -->|Behavioral Analysis| A
A -->|Malware Signals| T
S -->|Query Package Info| T
T -->|Security Intelligence| S
S -->|Analysis Results| P
P -->|Policy Decisions| O
style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a
```
</details>
## Key Features
### **Malicious Package Detection**
Real-time protection against malicious packages powered by [SafeDep Cloud](https://docs.safedep.io/cloud/malware-analysis).
Free for open source projects. Detects zero-day malware through active code analysis.
### **Smart Vulnerability Analysis**
Unlike dependency scanners that flood you with noise, `vet` analyzes your **actual code usage** to prioritize real risks.
See [dependency usage evidence](https://docs.safedep.io/vet/guides/dependency-usage-identification) for details.
### **Policy as Code**
Define security policies using CEL expressions to enforce context specific requirements:
```bash
# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail
# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail
# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail
```
### **Multi-Ecosystem Support**
Package managers: **npm**, **PyPI**, **Maven**, **Go**, **Ruby**, **Rust**, **PHP**
Container images: **Docker**, **OCI**
SBOM formats: **CycloneDX**, **SPDX**
Source repositories: **GitHub**, **GitLab**
## Malicious Package Detection
**Real-time protection against malicious packages** with active scanning and behavioral analysis.
### Quick Setup
```bash
# One-time setup for advanced scanning
vet cloud quickstart
# Scan for malware with active scanning (requires API key)
vet scan -D . --malware
# Query known malicious packages (no API key needed)
vet scan -D . --malware-query
```
**Example detections:**
- [MAL-2025-3541: express-cookie-parser](https://safedep.io/malicious-npm-package-express-cookie-parser/)
- [MAL-2025-4339: eslint-config-airbnb-compat](https://safedep.io/digging-into-dynamic-malware-analysis-signals/)
- [MAL-2025-4029: ts-runtime-compat-check](https://safedep.io/digging-into-dynamic-malware-analysis-signals/)
**Key security features:**
- Real-time analysis against known malware databases
- Behavioral analysis using static and dynamic analysis
- Zero-day protection through active code scanning
- Human-in-the-loop triaging for high-impact findings
- Public [analysis log](https://vetpkg.dev/mal) for transparency
### Advanced Usage
```bash
# Specialized scans
vet scan --vsx --malware # VS Code extensions
vet scan -D .github/workflows --malware # GitHub Actions
vet scan --image nats:2.10 --malware # Container images
# Analyze specific packages
vet inspect malware --purl pkg:npm/nyc-config@10.0.0
```
## Production Ready Integrations
### GitHub Actions
Zero-config security guardrails in CI/CD:
```yaml
- uses: safedep/vet-action@v1
with:
policy: ".github/vet/policy.yml"
```
See [vet-action](https://github.com/safedep/vet-action) documentation.
### GitLab CI
Enterprise scanning with [vet CI Component](https://docs.safedep.io/vet/guides/gitlab-dependency-scanning):
```yaml
include:
- component: gitlab.com/safedep/ci-components/vet/scan@main
```
### Container Integration
Run `vet` anywhere using our container image:
```bash
docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware
```
## Installation
### Homebrew (Recommended)
```bash
brew install safedep/tap/vet
```
### npm
```bash
npm install @safedep/vet
```
### Direct Download
See [releases](https://github.com/safedep/vet/releases) for pre-built binaries.
### Go Install
```bash
go install github.com/safedep/vet@latest
```
### Container Image
```bash
# Quick test
docker run --rm ghcr.io/safedep/vet:latest version
# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace
```
### Verify Installation
```bash
vet version
# Should display version and build information
```
## Advanced Features
**Learn more in our comprehensive documentation:**
- **[AI Usage Discovery](./docs/ai-discovery.md)** - Discover AI tool usage signals across various tools and configurations
- **[AI Agent Mode](./docs/agent.md)** - Run vet as an AI agent
- **[MCP Server](./docs/mcp.md)** - Run vet as an MCP server for AI-assisted code analysis
- **[Reporting](./docs/reporting.md)** - SARIF, JSON, CSV, HTML, Markdown formats
- **[SBOM Support](https://docs.safedep.io/vet/guides/cyclonedx-sbom)** - CycloneDX, SPDX import/export
- **[Query Mode](https://docs.safedep.io/cloud/quickstart#query-your-data)** - Scan once, analyze multiple times
- **[GitHub Integration](https://docs.safedep.io/)** - Repository and organization scanning
## Privacy
`vet` collects anonymous usage telemetry to improve the product. **Your code and package information is never transmitted.**
```bash
# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true
```
## Community & Support
<div align="center">
### Join the Community
[](https://rebrand.ly/safedep-community)
[](https://github.com/safedep/vet/discussions)
[](https://twitter.com/safedepio)
</div>
### Get Help & Share Ideas
- **[Interactive Tutorial](https://killercoda.com/safedep/scenario/101-intro)** - Learn vet hands-on
- **[Complete Documentation](https://docs.safedep.io/)** - Comprehensive guides
- **[Discord Community](https://rebrand.ly/safedep-community)** - Real-time support
- **[Issue Tracker](https://github.com/safedep/vet/issues)** - Bug reports & feature requests
- **[Contributing Guide](CONTRIBUTING.md)** - Join the development
---
<div align="center">
### Star History
[](https://star-history.com/#safedep/vet&Date)
### Built With Open Source
vet stands on the shoulders of giants:
[OSV](https://osv.dev) • [OpenSSF Scorecard](https://securityscorecards.dev/) • [SLSA](https://slsa.dev/) • [OSV-SCALIBR](https://github.com/google/osv-scalibr) • [Syft](https://github.com/anchore/syft)
---
<p><strong>Secure your supply chain today. Star the repo and get started!</strong></p>
Created with love by [SafeDep](https://safedep.io) and the open source community
</div>
<img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=304d1856-fcb3-4166-bfbf-b3e40d0f1e3b" />
