[!NOTE]
vetsupports special mode for Agent Skills. Runvet scan --agent-skill <owner/repo>to scan an Agent Skill hosted in a GitHub repository.
Why vet?
70-90% of modern software is open source code — how do you know it's safe?
Traditional SCA tools drown you in CVE noise. vet takes a different approach:
- Catch malware before it ships — Zero-day detection through static and dynamic behavioral analysis, not just advisory lookups
- Cut through vulnerability noise — Analyzes your actual code usage to surface only the risks that matter
- Secure AI-generated code — MCP server integration protects against slopsquatting in tools like Cursor, VS Code, and Claude Code
- Enforce policy as code — Express security, license, and quality requirements as CEL expressions that gate your CI/CD pipeline
Free for open source. Hosted SaaS available at SafeDep.
Quick Start
Install in seconds:
# macOS & Linux
brew install safedep/tap/vet
# Using npm
npm install @safedep/vet
or download a pre-built binary
Get started immediately:
# Scan for malware in your dependencies
vet scan -D . --malware-query
# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
# Get API key for advanced malware detection
vet cloud quickstart
Architecture
vet follows a pipeline architecture: readers ingest package manifests from diverse sources (directories, repositories, container images, SBOMs), enrichers augment each package with vulnerability, malware, and scorecard data from SafeDep Cloud, the CEL policy engine evaluates security policies against enriched data, and reporters produce actionable output in formats like SARIF, JSON, and Markdown.
View architecture diagram
graph TB
subgraph "OSS Ecosystem"
R1[npm Registry]
R2[PyPI Registry]
R3[Maven Central]
R4[Other Registries]
end
subgraph "SafeDep Cloud"
M[Continuous Monitoring]
A[Real-time Code Analysis<br/>Malware Detection]
T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard]
end
subgraph "vet CLI"
S[Source Repository<br/>Scanner]
P[CEL Policy Engine]
O[Reports & Actions<br/>SARIF/JSON/CSV]
end
R1 -->|New Packages| M
R2 -->|New Packages| M
R3 -->|New Packages| M
R4 -->|New Packages| M
M -->|Behavioral Analysis| A
A -->|Malware Signals| T
S -->|Query Package Info| T
T -->|Security Intelligence| S
S -->|Analysis Results| P
P -->|Policy Decisions| O
style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a
Key Features
Malicious Package Detection
Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.
Smart Vulnerability Analysis
Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks.
See dependency usage evidence for details.
Policy as Code
Define security policies using CEL expressions to enforce context specific requirements:
# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail
# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail
# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail
Multi-Ecosystem Support
Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP Container images: Docker, OCI SBOM formats: CycloneDX, SPDX Source repositories: GitHub, GitLab
Malicious Package Detection
Real-time protection against malicious packages with active scanning and behavioral analysis.
Quick Setup
# One-time setup for advanced scanning
vet cloud quickstart
# Scan for malware with active scanning (requires API key)
vet scan -D . --malware
# Query known malicious packages (no API key needed)
vet scan -D . --malware-query
Example detections:
- MAL-2025-3541: express-cookie-parser
- MAL-2025-4339: eslint-config-airbnb-compat
- MAL-2025-4029: ts-runtime-compat-check
Key security features:
- Real-time analysis against known malware databases
- Behavioral analysis using static and dynamic analysis
- Zero-day protection through active code scanning
- Human-in-the-loop triaging for high-impact findings
- Public analysis log for transparency
Advanced Usage
# Specialized scans
vet scan --vsx --malware # VS Code extensions
vet scan -D .github/workflows --malware # GitHub Actions
vet scan --image nats:2.10 --malware # Container images
# Analyze specific packages
vet inspect malware --purl pkg:npm/[email protected]
Production Ready Integrations
GitHub Actions
Zero-config security guardrails in CI/CD:
- uses: safedep/vet-action@v1
with:
policy: ".github/vet/policy.yml"
See vet-action documentation.
GitLab CI
Enterprise scanning with vet CI Component:
include:
- component: gitlab.com/safedep/ci-components/vet/scan@main
Container Integration
Run vet anywhere using our container image:
docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware
Installation
Homebrew (Recommended)
brew install safedep/tap/vet
npm
npm install @safedep/vet
Direct Download
See releases for pre-built binaries.
Go Install
go install github.com/safedep/vet@latest
Container Image
# Quick test
docker run --rm ghcr.io/safedep/vet:latest version
# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace
Verify Installation
vet version
# Should display version and build information
Advanced Features
Learn more in our comprehensive documentation:
- MCP Server - Run vet as an MCP server for AI-assisted code analysis
- AI Agent Mode - Run vet as an AI agent
- Reporting - SARIF, JSON, CSV, HTML, Markdown formats
- SBOM Support - CycloneDX, SPDX import/export
- Query Mode - Scan once, analyze multiple times
- GitHub Integration - Repository and organization scanning
Privacy
vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.
# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true
Community & Support
Join the Community
Get Help & Share Ideas
- Interactive Tutorial - Learn vet hands-on
- Complete Documentation - Comprehensive guides
- Discord Community - Real-time support
- Issue Tracker - Bug reports & feature requests
- Contributing Guide - Join the development
Star History
Built With Open Source
vet stands on the shoulders of giants:
OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft
Secure your supply chain today. Star the repo and get started!
Created with love by SafeDep and the open source community
Recommend MCP Servers 💡
promptexecution/cratedocs-mcp
An MCP server that provides tools for Rust crate documentation lookup, allowing LLMs to access crate docs, search crates, and look up specific items.
mcp-server-splunk
A Go implementation of the MCP server for Splunk, supporting STDIO and SSE transports.
Rember
Rember is an AI-powered flashcard application that integrates with AI chat platforms like Claude and ChatGPT via an MCP Server, allowing users to easily capture and organize information into flashcards for spaced repetition.
kanban-mcp
MCP server providing kanban-based task management state for AI-driven development
scrapling-fetch-mcp
MCP server that helps AI assistants access text content from bot-protected websites using Scrapling
odmcp
Connects various open datasets to Large Language Models (LLMs) using the Model Context Protocol, enabling LLMs to access and utilize public data.