SafeDep Vet
Featuredby
Provides enterprise‑grade open source software supply chain security by scanning source code, dependencies, containers and SBOMs, detecting vulnerabilities and malicious packages, and enforcing policy as code.
SafeDep Vet Overview
What is SafeDep Vet about?
SafeDep Vet delivers next‑generation software composition analysis for developers and security engineers. It continuously inspects the actual code usage of open‑source components across multiple ecosystems, flags known vulnerabilities, identifies malicious packages in real time, and allows teams to codify security expectations with CEL‑based policies.
How to use SafeDep Vet?
- Installation – on macOS/Linux use Homebrew:
brew install safedep/tap/vet, or download a binary from the releases page, or run via Docker:docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace. - Scanning – basic command scans the current directory:
Scan a specific manifest:vet scan -D .vet scan -M package-lock.json. - Policy enforcement – attach CEL filters and fail CI when conditions match:
vet scan -D . \ --filter 'vulns.critical.exists(p, true)' \ --filter-fail - CI/CD integration – use the official GitHub Action (
safedep/vet-action) or the GitLab CI component to run scans automatically. - MCP server – start a server for AI‑driven code suggestions:
vet server mcp --server-type sse
Key Features
- Code‑level dependency analysis – correlates packages with actual code usage to reduce noise.
- Real‑time malicious package detection – leverages SafeDep Cloud for active scanning; falls back to query mode without an API key.
- Policy as Code – write CEL expressions to block vulnerable versions, enforce license compliance, or require minimum OpenSSF Scorecard scores.
- Multi‑ecosystem support – npm, PyPI, Maven, Go, RubyGems, Rust, PHP, Docker/OCI images, SBOMs (CycloneDX, SPDX), JARs, wheels, etc.
- Rich reporting – outputs SARIF, JSON, CSV, HTML, Markdown, SBOM formats, and interactive graphs.
- CI/CD native – ready‑made GitHub Actions, GitLab CI component, and container image for any pipeline.
- MCP server & agents – expose scanning capabilities to AI assistants for on‑the‑fly vetting of suggested code.
Use Cases
- Continuous security gating – fail pull‑requests that introduce high‑severity CVEs or malicious packages.
- License compliance enforcement – automatically reject dependencies with disallowed licenses.
- Supply‑chain risk management – monitor transitive dependencies across languages and container images.
- Developer feedback loop – run locally during development to catch issues before committing code.
- AI‑augmented code assistance – use the MCP server to let LLMs query vet results while generating code suggestions.
FAQ
Q: Do I need an API key for malicious package detection? A: An API key is required for active scanning via SafeDep Cloud. Without it, vet still checks known malicious packages using public databases.
Q: Can I scan private repositories?
A: Yes, provide appropriate authentication (e.g., GitHub token) via vet connect github before scanning.
Q: Which CI systems are supported? A: GitHub Actions, GitLab CI, and any environment that can run the binary or Docker image.
Q: How are policies written?
A: Policies are CEL expressions supplied through --filter flags or a YAML file referenced in CI actions.
Q: What formats can I export reports to? A: SARIF, JSON, CSV, HTML, Markdown, CycloneDX SBOM, SPDX, DOT graph, and more.
SafeDep Vet's README
🎯 Why vet?
70-90% of modern software constitute code from open sources — How do we know if it's safe?
vet is an open source software supply chain security tool built for developers and security engineers who need:
✅ Next-gen Software Composition Analysis — Vulnerability and malicious package detection
✅ Policy as Code — Express opinionated security policies using CEL
✅ Real-time malicious package detection — Powered by SafeDep Cloud active scanning
✅ Multi-ecosystem support — npm, PyPI, Maven, Go, Docker, GitHub Actions, and more
✅ CI/CD native — Built for DevSecOps workflows with support for GitHub Actions, GitLab CI, and more
✅ MCP Server — Run vet as a MCP server to vet open source packages from AI suggested code
✅ Agents — Run AI agents to query and analyze scan results
⚡ Quick Start
Install in seconds:
# macOS & Linux
brew install safedep/tap/vet
or download a pre-built binary
Scan your project:
# Scan current directory
vet scan -D .
# Scan a single file
vet scan -M package-lock.json
# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
# Fail CI on OpenSSF Scorecard requirements
vet scan -D . --filter 'scorecard.scores.Maintained < 5' --filter-fail
# Fail CI if a package is published from a GitHub repository with less than 5 stars
vet scan -D . --filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 5)' --filter-fail
🔒 Key Features
🕵️ Code Analysis
Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for more details.
🛡️ Malicious Package Detection
Integrated with SafeDep Cloud for real-time protection against malicious packages in the wild. Free for open source projects. Fallback to Query Mode when API key is not provided. Read more about malicious package scanning.
📋 Policy as Code
Define security policies using CEL expressions to enforce context specific security requirements.
# Block packages with critical CVEs
vet scan \
--filter 'vulns.critical.exists(p, true)'
# Enforce license compliance
vet scan \
--filter 'licenses.contains_license("GPL-3.0")'
# Enforce OpenSSF Scorecard requirements
# Require minimum OpenSSF Scorecard scores
vet scan \
--filter 'scorecard.scores.Maintained < 5'
🎯 Multi-Format Support
- Package Managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
- Container Images: Docker, OCI
- SBOMs: CycloneDX, SPDX
- Binary Artifacts: JAR files, Python wheels
- Source Code: Direct repository scanning
🔥 See vet in Action
🚀 Production Ready Integrations
📦 GitHub Actions
Zero config security guardrails against vulnerabilities and malicious packages in your CI/CD pipeline with your own opinionated policies:
- uses: safedep/vet-action@v1
with:
policy: '.github/vet/policy.yml'
See more in vet-action documentation.
🔧 GitLab CI
Enterprise grade scanning with vet CI Component:
include:
- component: gitlab.com/safedep/ci-components/vet/scan@main
🐳 Container Integration
Run vet anywhere, even your internal developer platform or custom CI/CD environment using our container image.
docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app
📚 Table of Contents
- 🎯 Why vet?
- ⚡ Quick Start
- 🔒 Key Features
- 🔥 See vet in Action
- 🚀 Production Ready Integrations
- 📚 Table of Contents
- 📦 Installation Options
- 🎮 Advanced Usage
- 📊 Reporting
- 🛡️ Malicious Package Detection
- 📊 Privacy and Telemetry
- 🎊 Community & Support
📦 Installation Options
🍺 Homebrew (Recommended)
brew tap safedep/tap
brew install safedep/tap/vet
📥 Direct Download
See releases for the latest version.
🐹 Go Install
go install github.com/safedep/vet@latest
🐳 Container Image
# Quick test
docker run --rm ghcr.io/safedep/vet:latest version
# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace
⚙️ Verify Installation
vet version
# Should display version and build information
🎮 Advanced Usage
🔍 Scanning Options
📁 Directory Scanning
# Scan current directory
vet scan
# Scan a given directory
vet scan -D /path/to/project
# Resolve and scan transitive dependencies
vet scan -D . --transitive
📄 Manifest Files
# Package managers
vet scan -M package-lock.json
vet scan -M requirements.txt
vet scan -M pom.xml
vet scan -M go.mod
vet scan -M Gemfile.lock
🐙 GitHub Integration
# Setup GitHub access
vet connect github
# Scan repositories
vet scan --github https://github.com/user/repo
# Organization scanning
vet scan --github-org https://github.com/org
📦 Artifact Scanning
# Container images
vet scan --image nginx:latest
vet scan --image /path/to/image-saved-file.tar
# Binary artifacts
vet scan -M app.jar
vet scan -M package.whl
🎯 Policy Enforcement Examples
# Security-first scanning
vet scan -D . \
--filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
--filter-fail
# License compliance
vet scan -D . \
--filter 'licenses.contains_license("GPL-3.0")' \
--filter-fail
# OpenSSF Scorecard requirements
vet scan -D . \
--filter 'scorecard.scores.Maintained < 5' \
--filter-fail
# Popularity-based filtering
vet scan -D . \
--filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 50)' \
--filter-fail
🔧 SBOM Support
# Scan a CycloneDX SBOM
vet scan -M sbom.json --type bom-cyclonedx
# Scan a SPDX SBOM
vet scan -M sbom.spdx.json --type bom-spdx
# Generate SBOM output
vet scan -D . --report-cdx=output.sbom.json
# Package URL scanning
vet scan --purl pkg:npm/lodash@4.17.21
📊 Query Mode & Data Persistence
For large codebases and repeated analysis:
# Scan once, query multiple times
vet scan -D . --json-dump-dir ./scan-data
# Query with different filters
vet query --from ./scan-data \
--filter 'vulns.critical.exists(p, true)'
# Generate focused reports
vet query --from ./scan-data \
--filter 'licenses.contains_license("GPL")' \
--report-json license-violations.json
📊 Reporting
vet generate reports that are tailored for different stakeholders:
📋 Report Formats
# SARIF for GitHub Security tab
vet scan -D . --report-sarif=report.sarif
# JSON for custom tooling
vet scan -D . --report-json=report.json
# CSV for spreadsheet analysis
vet scan -D . --report-csv=report.csv
# HTML for web-based analysis
vet scan -D . --report-html=report.html
# Markdown reports for PRs
vet scan -D . --report-markdown=report.md
# Console summary (default)
vet scan -D . --report-summary
# SBOM generation
vet scan -D . --report-cdx=sbom.json
# Dependency graphs
vet scan -D . --report-graph=dependencies.dot
🎯 Report Examples
# Multi-format output
vet scan -D . \
--report-json=report.json \
--report-sarif=report.sarif \
--report-markdown=report.md \
--report-html=report.html
# Focus on specific issues
vet scan -D . \
--filter 'vulns.high.exists(p, true)' \
--report-json=report.json
🤖 MCP Server
vet can be used as an MCP server to vet open source packages from AI suggested code.
# Start the MCP server with SSE transport
vet server mcp --server-type sse
For more details, see vet MCP Server documentation.
🤖 Agents
See vet Agents documentation for more details.
🛡️ Malicious Package Detection
Malicious package detection through active scanning and code analysis powered by
SafeDep Cloud. vet requires an API
key for active scanning of unknown packages. When API key is not provided, vet will
fallback to Query Mode which detects known malicious packages from SafeDep
and OSV databases.
- Grab a free API key from SafeDep Platform App or use
vet cloud quickstart - API access is free forever for open source projects
- No proprietary code is collected for malicious package detection
- Only open source package scanning from public repositories is supported
🚀 Quick Setup
Malicious package detection requires an API key for SafeDep Cloud.
# One-time setup
vet cloud quickstart
# Enable malware scanning
vet scan -D . --malware
# Query for known malicious packages without API key
vet scan -D . --malware-query
Example malicious packages detected and reported by SafeDep Cloud malicious package detection:
- MAL-2025-3541: express-cookie-parser
- MAL-2025-4339: eslint-config-airbnb-compat
- MAL-2025-4029: ts-runtime-compat-check
- MAL-2025-2227: nyc-config
🎯 Advanced Malicious Package Analysis
🔍 Scan packages with malicious package detection enabled
# Real-time scanning
vet scan -D . --malware
# Timeout adjustment
vet scan -D . --malware \
--malware-analysis-timeout=300s
# Batch analysis
vet scan -D . --malware \
--json-dump-dir=./analysis
🎭 Specialized Scans
# VS Code extensions
vet scan --vsx --malware
# GitHub Actions
vet scan -D .github/workflows --malware
# Container Images
vet scan --image nats:2.10 --malware
# Scan a single package and fail if its malicious
vet scan --purl pkg:/npm/nyc-config@10.0.0 --fail-fast
# Active scanning of a single package (requires API key)
vet inspect malware \
--purl pkg:npm/nyc-config@10.0.0
🔒 Security Features
- ✅ Real-time analysis of packages against known malware databases
- ✅ Behavioral analysis using static and dynamic analysis
- ✅ Zero day protection through active code scanning
- ✅ Human in the loop for triaging and investigation of high impact findings
- ✅ Real time analysis with public analysis log
📊 Privacy and Telemetry
vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.
# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true
🎊 Community & Support
🌟 Join the Community
💡 Get Help & Share Ideas
- 🚀 Interactive Tutorial - Learn vet hands-on
- 📚 Complete Documentation - Comprehensive guides
- 💬 Discord Community - Real-time support
- 🐛 Issue Tracker - Bug reports & feature requests
- 🤝 Contributing Guide - Join the development
⭐ Star History
🙏 Built With Open Source
vet stands on the shoulders of giants:
OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft
Created with ❤️ by SafeDep and the open source community
SafeDep Vet Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
Similar MCP Servers like SafeDep Vet
Explore related MCPs that share similar capabilities and solve comparable challenges
SafeLine
by chaitin
A self‑hosted web application firewall and reverse proxy that protects web applications from attacks and exploits by filtering, monitoring, and blocking malicious HTTP/S traffic.
Semgrep MCP Server
by semgrep
Offers an MCP server that lets LLMs, agents, and IDEs run Semgrep scans to detect security vulnerabilities in source code.
Burp MCP Server
by PortSwigger
Enables Burp Suite to communicate with AI clients via the Model Context Protocol, providing an MCP server and bundled stdio proxy.
Cycode CLI
by cycodehq
Boost security in the development lifecycle via SAST, SCA, secrets, and IaC scanning.
Bugsy
by mobb-dev
Provides automatic security vulnerability remediation for code via a command‑line interface and an MCP server, leveraging findings from popular SAST tools such as Checkmarx, CodeQL, Fortify, and Snyk.
Keycloak MCP Server
by ChristophEnglisch
Provides AI‑powered administration of Keycloak users and realms through the Model Context Protocol, enabling automated creation, deletion, and listing of users and realms from MCP clients such as Claude Desktop.
OpenCTI MCP Server
by Spathodea-Network
Provides a Model Context Protocol server that enables querying and retrieving threat intelligence data from OpenCTI through a standardized interface.
Authenticator App MCP Server
Officialby firstorderai
Provides seamless access to two‑factor authentication codes and passwords for AI agents, enabling automated login while maintaining security.
OPNSense MCP Server
by vespo92
Manage OPNsense firewalls through conversational AI, providing network configuration, device discovery, DNS filtering, HAProxy setup, and backup/restore via simple commands.