vet
vet is a Go-based CLI tool for scanning open-source dependencies to detect malicious packages, vulnerabilities, and license compliance issues. It uses SafeDep Cloud's real-time threat intelligence and behavioral analysis to prioritize actual risks over noise, with policy-as-code enforcement via CEL expressions.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | safedep/vet |
| Owner | safedep |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.1k |
| Forks | 103 |
| Open issues | 98 |
| Latest release | v1.17.5 (2026-06-24) |
| Last updated | 2026-07-03 |
| Source | https://github.com/safedep/vet |
What vet is
vet follows a pipeline architecture (readers → enrichers → CEL policy engine → reporters) supporting npm, PyPI, Maven, Go, Ruby, Rust, PHP ecosystems and container images. It enriches package manifests with vulnerability, malware, and OpenSSF Scorecard data from SafeDep Cloud, then evaluates security policies and outputs SARIF, JSON, CSV, or Markdown reports.
Get the vet source
Clone the repository and explore it locally.
git clone https://github.com/safedep/vet.gitcd vet# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- SafeDep Cloud API key required for advanced malware detection and behavioral analysis; free tier available for open-source projects.
- CEL policy syntax requires learning a custom expression language; provides flexibility but steeper learning curve than simple YAML rule sets.
- Enrichment pipeline depends on external registry and SafeDep Cloud availability; plan for transient failures and caching strategies.
- Policy configuration should be version-controlled in `.github/vet/policy.yml` or equivalent to enforce consistent security posture across teams.
- Multi-ecosystem support requires configuration per package manager (npm, PyPI, Maven, etc.); monorepos may need composite scans or filtering.
When to avoid it — and what to weigh
- No Internet or SafeDep Cloud Access Required — Advanced malware detection and zero-day protection require SafeDep Cloud API key. Local-only or air-gapped environments have limited detection capabilities.
- Language-Agnostic SCA Without Ecosystem Integration — vet focuses on supported package managers and registries. If your stack uses obscure or custom package sources, manual integration or alternative tools may be necessary.
- Real-Time SBOM Generation from Source — vet consumes SBOMs and manifests but does not generate SBOMs from compiled binaries or non-standard source formats.
- Minimal CLI Overhead or Ultra-Lightweight Tooling — vet is a full-featured CLI requiring Go runtime and network calls to SafeDep Cloud; lightweight alternatives exist for constraint-heavy environments.
License & commercial use
Apache License 2.0 (Apache-2.0). Permissive OSI-approved license permitting commercial use, modification, and distribution with attribution and liability limitations.
Apache-2.0 is a permissive open-source license explicitly allowing commercial use and derivative works. However, SafeDep Cloud backend services and advanced malware detection features are commercial offerings; verify licensing and commercial terms with SafeDep separately. vet CLI itself is unrestricted for commercial use under Apache-2.0.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | High |
vet relies on SafeDep Cloud for malware detection and vulnerability data; trust model depends on SafeDep's analysis quality and update frequency. No details provided on how behavioral analysis works or false-positive rates. Network calls to external service introduce availability and confidentiality risks for proprietary codebases; review data handling policies. CEL policy engine evaluated locally; no RCE vectors documented but recommend reviewing policy expressions for injection attacks. Static and dynamic analysis signals are not independently verifiable from this data.
Alternatives to consider
Snyk
Commercial SCA with vulnerability and malware detection; more established market presence and integrations but higher cost and proprietary analysis.
Dependabot (GitHub native)
GitHub-native dependency scanning with auto-update PRs; lightweight but limited to GitHub ecosystem and lacks policy-as-code enforcement.
OWASP Dependency-Check
Free, open-source SCA with NVD integration; simpler deployment but no malware detection or policy-as-code; CVE-noise focused.
Build on vet with DEV.co software developers
Review the architecture, integration capabilities, and SafeDep Cloud dependencies. Test with `brew install safedep/tap/vet` and run `vet scan -D .` on a sample project. Check API key requirements and policy-as-code syntax before committing to production.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
vet FAQ
Do I need SafeDep Cloud to use vet?
What package managers and languages does vet support?
Can vet run in CI/CD without manual configuration?
Is vet suitable for air-gapped or on-premises environments?
Work with a software development agency
Adopting vet is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Evaluate vet for Your Supply Chain Security
Review the architecture, integration capabilities, and SafeDep Cloud dependencies. Test with `brew install safedep/tap/vet` and run `vet scan -D .` on a sample project. Check API key requirements and policy-as-code syntax before committing to production.