๐ Refer to https://safedep.io/docs for the documentation ๐
vet
is a tool for identifying risks in open source software supply chain. It
helps engineering and security teams to identify potential issues in their open
source dependencies and evaluate them against organizational policies.
-
Download the binary file for your operating system / architecture from the Official GitHub Releases
-
You can also install
vet
using homebrew in MacOS and Linux
brew tap safedep/tap
brew install safedep/tap/vet
- Alternatively, build from source
Ensure $(go env GOPATH)/bin is in your $PATH
go install github.com/safedep/vet@latest
- Get an API key for the vet insights data access for performing the scan. Alternatively, look at using community endpoint without API key
vet auth trial --email [email protected]
A time limited trial API key will be sent over email.
- Configure
vet
to use API key to access the insights
vet auth configure
Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable
VET_API_KEY
- You can verify the configured key is successful by running the following command
vet auth verify
Community mode can be used to avoid registering and obtaining an API key.
vet auth configure --community
- Run
vet
to identify risks
vet scan -D /path/to/repository
- You can also scan a specific (supported) package manifest
vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json
Example Security Gate using
vet
to prevent introducing new OSS dependency risk in an application.
- Refer to https://safedep.io/docs for the detailed documentation
First of all, thank you so much for showing interest in vet
, we appreciate it โค๏ธ
- Join the server using the link - https://rebrand.ly/safedep-community