Enables scanning of container images for vulnerabilities and malicious packages, supporting both remote registry images and local image tarballs.
Integrates with GitHub repositories for scanning dependencies and enforcing security policies. Provides OpenSSF Scorecard integration for repository security assessment.
Provides security scanning for GitHub Actions workflows with zero-config security guardrails against vulnerabilities and malicious packages in CI/CD pipelines.
Offers enterprise-grade scanning through GitLab CI components to detect security vulnerabilities and enforce policy compliance in GitLab CI/CD pipelines.
Scans npm packages for vulnerabilities and malicious code, detecting security issues in JavaScript/Node.js dependencies.
Analyzes PHP dependencies for vulnerabilities and malicious code within PHP projects.
Analyzes Python packages from PyPI for vulnerabilities and malicious code, supporting requirements.txt and wheel files.
Scans Ruby packages and Gemfile.lock files for vulnerabilities and security issues in Ruby dependencies.
Provides vulnerability and malicious package detection for Rust crates and dependencies.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@vet-mcpscan my project for malicious packages"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π― Why vet?
70-90% of modern software constitute code from open sources β How do we know if it's safe?
vet is an open source software supply chain security tool built for developers and security engineers who need:
β
Real-time malicious package detection β Active scanning and analysis of unknown packages
β
Modern SCA with actual usage analysis β Prioritize real risks over vulnerability noise
β
Policy as Code β Express security requirements using CEL expressions
Hosted SaaS version available at SafeDep Cloud. Get started with GitHub App and other integrations.
Related MCP server: vedit-mcp
β‘ Quick Start
Install in seconds:
# macOS & Linux
brew install safedep/tap/vetor download a pre-built binary
Get started immediately:
# Scan for malware in your dependencies
vet scan -D . --malware-query
# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
# Get API key for advanced malware detection
vet cloud quickstartπ¦ Architecture
graph TB
subgraph "OSS Ecosystem"
R1[npm Registry]
R2[PyPI Registry]
R3[Maven Central]
R4[Other Registries]
end
subgraph "SafeDep Cloud"
M[Continuous Monitoring]
A[Real-time Code Analysis<br/>Malware Detection]
T[Threat Intelligence DB<br/>Vulnerabilities β’ Malware β’ Scorecard]
end
subgraph "vet CLI"
S[Source Repository<br/>Scanner]
P[CEL Policy Engine]
O[Reports & Actions<br/>SARIF/JSON/CSV]
end
R1 -->|New Packages| M
R2 -->|New Packages| M
R3 -->|New Packages| M
R4 -->|New Packages| M
M -->|Behavioral Analysis| A
A -->|Malware Signals| T
S -->|Query Package Info| T
T -->|Security Intelligence| S
S -->|Analysis Results| P
P -->|Policy Decisions| O
style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1aπ Key Features
π‘οΈ Malicious Package Detection
Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.
π΅οΈ Smart Vulnerability Analysis
Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks.
See dependency usage evidence for details.
π Policy as Code
Define security policies using CEL expressions to enforce context specific requirements:
# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail
# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail
# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-failπ― Multi-Ecosystem Support
Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
Container images: Docker, OCI
SBOM formats: CycloneDX, SPDX
Source repositories: GitHub, GitLab
π‘οΈ Malicious Package Detection
Real-time protection against malicious packages with active scanning and behavioral analysis.
π Quick Setup
# One-time setup for advanced scanning
vet cloud quickstart
# Scan for malware with active scanning (requires API key)
vet scan -D . --malware
# Query known malicious packages (no API key needed)
vet scan -D . --malware-queryExample detections:
Key security features:
β Real-time analysis against known malware databases
β Behavioral analysis using static and dynamic analysis
β Zero-day protection through active code scanning
β Human-in-the-loop triaging for high-impact findings
β Public analysis log for transparency
π― Advanced Usage
# Specialized scans
vet scan --vsx --malware # VS Code extensions
vet scan -D .github/workflows --malware # GitHub Actions
vet scan --image nats:2.10 --malware # Container images
# Analyze specific packages
vet inspect malware --purl pkg:npm/nyc-config@10.0.0π Production Ready Integrations
π¦ GitHub Actions
Zero-config security guardrails in CI/CD:
- uses: safedep/vet-action@v1
with:
policy: ".github/vet/policy.yml"See vet-action documentation.
π§ GitLab CI
Enterprise scanning with vet CI Component:
include:
- component: gitlab.com/safedep/ci-components/vet/scan@mainπ³ Container Integration
Run vet anywhere using our container image:
docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malwareπ¦ Installation
πΊ Homebrew (Recommended)
brew tap safedep/tap
brew install safedep/tap/vetπ₯ Direct Download
See releases for pre-built binaries.
πΉ Go Install
go install github.com/safedep/vet@latestπ³ Container Image
# Quick test
docker run --rm ghcr.io/safedep/vet:latest version
# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspaceβοΈ Verify Installation
vet version
# Should display version and build informationπ Advanced Features
Learn more in our comprehensive documentation:
MCP Server - Run vet as an MCP server for AI-assisted code analysis
AI Agent Mode - Run vet as an AI agent
Reporting - SARIF, JSON, CSV, HTML, Markdown formats
SBOM Support - CycloneDX, SPDX import/export
Query Mode - Scan once, analyze multiple times
GitHub Integration - Repository and organization scanning
π Privacy
vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.
# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=trueπ Community & Support
π Join the Community
π‘ Get Help & Share Ideas
π Interactive Tutorial - Learn vet hands-on
π Complete Documentation - Comprehensive guides
π¬ Discord Community - Real-time support
π Issue Tracker - Bug reports & feature requests
π€ Contributing Guide - Join the development
β Star History
π Built With Open Source
vet stands on the shoulders of giants:
OSV β’ OpenSSF Scorecard β’ SLSA β’ OSV-SCALIBR β’ Syft
Created with β€οΈ by SafeDep and the open source community