vet

command module

v1.0.0-rc2 Latest Latest Go to latest Published: Apr 19, 2023 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/safedep/vet

README ¶

🙌 Refer to https://safedep.io/docs for the documentation 📖

License Release

Automate Open Source Package Vetting in CI/CD

vet is a tool for identifying risks in open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies and evaluate them against organizational policies.

🔥 vet in action

vet Demo

Getting Started

Download the binary file for your operating system / architecture from the Official GitHub Releases
You can also install vet using homebrew in MacOS and Linux

brew tap safedep/tap
brew install safedep/tap/vet

Alternatively, build from source

Ensure $(go env GOPATH)/bin is in your $PATH

go install github.com/safedep/vet@latest

Get an API key for the vet insights data access for performing the scan. Alternatively, look at using community endpoint without API key

vet auth trial --email john.doe@example.com

vet register trial

A time limited trial API key will be sent over email.

Configure vet to use API key to access the insights

vet auth configure

vet configure

Insights API is used to enrich OSS packages with metadata for rich query and policy decisions. Alternatively, the API key can be passed through environment variable VET_API_KEY

You can verify the configured key is successful by running the following command

vet auth verify

Using Community Mode

Community mode can be used to avoid registering and obtaining an API key.

vet auth configure --community

Running Scan

Run vet to identify risks

vet scan -D /path/to/repository

vet scan directory

You can also scan a specific (supported) package manifest

vet scan --lockfiles /path/to/pom.xml
vet scan --lockfiles /path/to/requirements.txt
vet scan --lockfiles /path/to/package-lock.json

Example Security Gate using vet to prevent introducing new OSS dependency risk in an application.

📖 Documentation

Refer to https://safedep.io/docs for the detailed documentation

🎊 Community

First of all, thank you so much for showing interest in vet, we appreciate it ❤️

Join the server using the link - https://rebrand.ly/safedep-community

🔖 References

https://github.com/google/osv-scanner

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
gen
cpv1 Package cpv1 provides primitives to interact with the openapi HTTP API.	Package cpv1 provides primitives to interact with the openapi HTTP API.
cpv1trials Package cpv1trials provides primitives to interact with the openapi HTTP API.	Package cpv1trials provides primitives to interact with the openapi HTTP API.
exceptionsapi
filterinput
filtersuite
insightapi Package insightapi provides primitives to interact with the openapi HTTP API.	Package insightapi provides primitives to interact with the openapi HTTP API.
internal
auth
ui
pkg
analyzer
analyzer/filter
common/logger
common/utils
exceptions
models
parser
policy
readers Package readers implements the various supported package manifest reader.	Package readers implements the various supported package manifest reader.
reporter
scanner

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL