vet  by safedep

SCA tool for supply chain security

created 2 years ago
618 stars

Top 54.2% on sourcepulse

GitHubView on GitHub
Project Summary

vet is a next-generation Software Composition Analysis (SCA) tool designed for developers and security engineers to enhance software supply chain security. It offers malicious package detection, code usage analysis, and policy-as-code capabilities across multiple ecosystems, aiming to provide actionable insights beyond traditional vulnerability scanning.

How It Works

vet differentiates itself by analyzing actual code usage to identify dependency risks, rather than solely relying on manifest files. It integrates with SafeDep Cloud for real-time malicious package detection and supports defining custom security policies using CEL (Common Expression Language). This approach aims to reduce noise and prioritize genuine security threats within the software supply chain.

Quick Start & Requirements

  • Install: brew install safedep/tap/vet (macOS/Linux), or download binaries, go install github.com/safedep/vet@latest, or use Docker.
  • Prerequisites: None explicitly stated for basic scanning. Malicious package detection requires a SafeDep Cloud API key for active scanning.
  • Resources: No specific resource requirements mentioned, but active scanning may incur network latency.
  • Links: Quick Start, Documentation, Community.

Highlighted Details

  • Analyzes code usage for dependency risk prioritization.
  • Real-time malicious package detection via SafeDep Cloud (optional, free for open source).
  • Policy-as-Code enforcement using CEL for custom security rules.
  • Supports multiple ecosystems (npm, PyPI, Maven, Go, Docker, etc.) and SBOM formats (CycloneDX, SPDX).

Maintenance & Community

vet is actively developed by SafeDep and the open-source community. It has a Discord server and GitHub Discussions for support and engagement. The project adheres to SLSA Level 3 standards.

Licensing & Compatibility

The project is licensed under the Apache License 2.0, which is permissive and generally compatible with commercial and closed-source use.

Limitations & Caveats

Real-time malicious package detection requires an API key for SafeDep Cloud; without it, vet falls back to querying known databases. The effectiveness of active scanning depends on the SafeDep Cloud service.

Health Check
Last commit

4 days ago

Responsiveness

Inactive

Pull Requests (30d)
12
Issues (30d)
7
Star History
280 stars in the last 90 days

Explore Similar Projects

Starred by Boris Cherny Boris Cherny(Creator of Claude Code; MTS at Anthropic), Georgios Konstantopoulos Georgios Konstantopoulos(CTO, General Partner at Paradigm), and
2 more.

gosec by securego

0.2%
8k
Go security checker for scanning Go AST and SSA code
created 9 years ago
updated 6 days ago
Feedback? Help us improve.