DEV.co
Open-Source Security · safedep

vet

vet is a Go-based CLI tool for scanning open-source dependencies to detect malicious packages, vulnerabilities, and license compliance issues. It uses SafeDep Cloud's real-time threat intelligence and behavioral analysis to prioritize actual risks over noise, with policy-as-code enforcement via CEL expressions.

Source: GitHub — github.com/safedep/vet
1.1k
GitHub stars
103
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorysafedep/vet
Ownersafedep
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars1.1k
Forks103
Open issues98
Latest releasev1.17.5 (2026-06-24)
Last updated2026-07-03
Sourcehttps://github.com/safedep/vet

What vet is

vet follows a pipeline architecture (readers → enrichers → CEL policy engine → reporters) supporting npm, PyPI, Maven, Go, Ruby, Rust, PHP ecosystems and container images. It enriches package manifests with vulnerability, malware, and OpenSSF Scorecard data from SafeDep Cloud, then evaluates security policies and outputs SARIF, JSON, CSV, or Markdown reports.

Quickstart

Get the vet source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/safedep/vet.gitcd vet# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Supply Chain Security in CI/CD

Integrate vet into GitHub Actions or GitLab CI with zero-config security guardrails to block malicious or non-compliant packages before they enter production.

Multi-Ecosystem Dependency Auditing

Scan Node.js, Python, Java, Go, Ruby, and Rust projects simultaneously, with unified policy enforcement across package managers and container images.

Policy-Driven Compliance Automation

Define and enforce context-specific security requirements (CVE thresholds, license blocklists, scorecard minimums) as code without manual rule updates.

Implementation considerations

  • SafeDep Cloud API key required for advanced malware detection and behavioral analysis; free tier available for open-source projects.
  • CEL policy syntax requires learning a custom expression language; provides flexibility but steeper learning curve than simple YAML rule sets.
  • Enrichment pipeline depends on external registry and SafeDep Cloud availability; plan for transient failures and caching strategies.
  • Policy configuration should be version-controlled in `.github/vet/policy.yml` or equivalent to enforce consistent security posture across teams.
  • Multi-ecosystem support requires configuration per package manager (npm, PyPI, Maven, etc.); monorepos may need composite scans or filtering.

When to avoid it — and what to weigh

  • No Internet or SafeDep Cloud Access Required — Advanced malware detection and zero-day protection require SafeDep Cloud API key. Local-only or air-gapped environments have limited detection capabilities.
  • Language-Agnostic SCA Without Ecosystem Integration — vet focuses on supported package managers and registries. If your stack uses obscure or custom package sources, manual integration or alternative tools may be necessary.
  • Real-Time SBOM Generation from Source — vet consumes SBOMs and manifests but does not generate SBOMs from compiled binaries or non-standard source formats.
  • Minimal CLI Overhead or Ultra-Lightweight Tooling — vet is a full-featured CLI requiring Go runtime and network calls to SafeDep Cloud; lightweight alternatives exist for constraint-heavy environments.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability limitations.

Apache-2.0 is a permissive open-source license explicitly allowing commercial use and derivative works. However, SafeDep Cloud backend services and advanced malware detection features are commercial offerings; verify licensing and commercial terms with SafeDep separately. vet CLI itself is unrestricted for commercial use under Apache-2.0.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceHigh
Security considerations

vet relies on SafeDep Cloud for malware detection and vulnerability data; trust model depends on SafeDep's analysis quality and update frequency. No details provided on how behavioral analysis works or false-positive rates. Network calls to external service introduce availability and confidentiality risks for proprietary codebases; review data handling policies. CEL policy engine evaluated locally; no RCE vectors documented but recommend reviewing policy expressions for injection attacks. Static and dynamic analysis signals are not independently verifiable from this data.

Alternatives to consider

Snyk

Commercial SCA with vulnerability and malware detection; more established market presence and integrations but higher cost and proprietary analysis.

Dependabot (GitHub native)

GitHub-native dependency scanning with auto-update PRs; lightweight but limited to GitHub ecosystem and lacks policy-as-code enforcement.

OWASP Dependency-Check

Free, open-source SCA with NVD integration; simpler deployment but no malware detection or policy-as-code; CVE-noise focused.

Software development agency

Build on vet with DEV.co software developers

Review the architecture, integration capabilities, and SafeDep Cloud dependencies. Test with `brew install safedep/tap/vet` and run `vet scan -D .` on a sample project. Check API key requirements and policy-as-code syntax before committing to production.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

vet FAQ

Do I need SafeDep Cloud to use vet?
No. Free local scanning with `--malware-query` uses known malware database without API key. Advanced behavioral analysis and zero-day detection require SafeDep Cloud API key; free tier available for open-source projects.
What package managers and languages does vet support?
npm, PyPI, Maven, Go, Ruby, Rust, PHP, and container images (Docker/OCI). SBOMs in CycloneDX and SPDX formats also supported. See README for ecosystem list.
Can vet run in CI/CD without manual configuration?
Yes. GitHub Actions via safedep/vet-action and GitLab CI via ci-components provide zero-config setups. Custom CI/CD requires manual integration but vet CLI is straightforward.
Is vet suitable for air-gapped or on-premises environments?
Unlikely. Advanced features require SafeDep Cloud access. Local malware queries work offline but are limited. No on-premises SafeDep deployment documented.

Work with a software development agency

Adopting vet is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Evaluate vet for Your Supply Chain Security

Review the architecture, integration capabilities, and SafeDep Cloud dependencies. Test with `brew install safedep/tap/vet` and run `vet scan -D .` on a sample project. Check API key requirements and policy-as-code syntax before committing to production.