🙌 Refer to https://safedep.io/docs for the documentation 📖

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

• Download the binary file for your operating system / architecture from the Official GitHub Releases

• You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

• Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

• Get an API key for the vet insights data access for performing the scan. Alternatively, look at using community endpoint without API key

vet auth trial --email [email protected]

A time limited trial API key will be sent over email.

• Configure vet to use API key to access the insights

vet auth configure

Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable VET_API_KEY

• You can verify the configured key is successful by running the following command

vet auth verify

Community mode can be used to avoid registering and obtaining an API key.

vet auth configure --community

• Run vet to identify risks

vet scan -D /path/to/repository

• You can also scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Example Security Gate using vet to prevent introducing new OSS dependency risk in an application.

• Refer to https://safedep.io/docs for the detailed documentation

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

• Join the server using the link - https://rebrand.ly/safedep-community

• https://github.com/google/osv-scanner