SCA tool for supply chain security
Top 54.2% on sourcepulse
vet
is a next-generation Software Composition Analysis (SCA) tool designed for developers and security engineers to enhance software supply chain security. It offers malicious package detection, code usage analysis, and policy-as-code capabilities across multiple ecosystems, aiming to provide actionable insights beyond traditional vulnerability scanning.
How It Works
vet
differentiates itself by analyzing actual code usage to identify dependency risks, rather than solely relying on manifest files. It integrates with SafeDep Cloud for real-time malicious package detection and supports defining custom security policies using CEL (Common Expression Language). This approach aims to reduce noise and prioritize genuine security threats within the software supply chain.
Quick Start & Requirements
brew install safedep/tap/vet
(macOS/Linux), or download binaries, go install github.com/safedep/vet@latest
, or use Docker.Highlighted Details
Maintenance & Community
vet
is actively developed by SafeDep and the open-source community. It has a Discord server and GitHub Discussions for support and engagement. The project adheres to SLSA Level 3 standards.
Licensing & Compatibility
The project is licensed under the Apache License 2.0, which is permissive and generally compatible with commercial and closed-source use.
Limitations & Caveats
Real-time malicious package detection requires an API key for SafeDep Cloud; without it, vet
falls back to querying known databases. The effectiveness of active scanning depends on the SafeDep Cloud service.
4 days ago
Inactive