vet

🥈Silver

Vet detects malicious open source packages in real-time, integrating with software development workflows to enhance security. It benefits DevOps and security teams by preventing supply chain attacks, connecting to package managers like npm, PyPI, and RubyGems.

1,007850Updated Today

Intermediate30min to implementautomation

Saves ~90 min per use

Quick InstallView Source

git clone https://github.com/safedep/vet.git

Works with:

Claude

Overview

About This Skill

https://docs.safedep.io/

How to Use

[{"step":"Install Vet in your project directory","action":"Run `npm install -g @vetted/cli` or use the Docker image `vetted/vet:latest` for cross-platform compatibility.","tip":"For Python projects, use `pip install vetted` and run `vet scan .`"},{"step":"Configure package manager access","action":"Authenticate Vet with your package registry tokens (e.g., `npm login`, `pip config set pypi.token YOUR_TOKEN`). Store tokens securely using environment variables.","tip":"Use `--registry=https://registry.npmjs.org` flag for private npm registries"},{"step":"Run the scan with custom parameters","action":"Execute `vet scan [DIRECTORY] --risk-threshold=7 --output=json` to generate machine-readable reports for integration with other tools.","tip":"Add `--recursive` flag to scan nested project structures like monorepos"},{"step":"Integrate into CI/CD pipeline","action":"Add Vet to your GitHub Actions workflow (`.github/workflows/vuln-scan.yml`) or GitLab CI (`gitlab-ci.yml`) with a failure threshold.","tip":"Example GitHub Action:\n```yaml\n- name: Vet Security Scan\n uses: vetted/action@v1\n with:\n directory: ./src\n fail-on: critical\n```"},{"step":"Monitor and remediate findings","action":"Review the generated report and prioritize fixes based on risk scores. Use `vet remediate [PACKAGE] --version=NEW_VERSION` for automated updates where possible.","tip":"Set up a Slack webhook to receive real-time alerts for new critical vulnerabilities"}]

Use Cases

Scan for malware in open source dependencies to prevent security breaches.

Integrate vet into CI/CD pipelines to automatically fail builds on critical vulnerabilities.

Define and enforce security policies using CEL expressions for tailored compliance.

Analyze specific packages for known vulnerabilities and malware before deployment.

Setup & Installation

Quick Install

No install command available. Check the GitHub repository for manual installation instructions.

Alternative Install (Git Clone)

git clone https://github.com/safedep/vet

Requirements

Claude Code or compatible AI agent
Works with: Claude

Quick Start Guide

Install the Skill

Copy the install command above and run it in your terminal.

Open Your AI Agent

Launch Claude Code, Cursor, or your preferred AI coding agent.

Try It Out

Use the prompt template or examples below to test the skill.

Customize

Adapt the skill to your specific use case and workflow.

Usage Examples

Prompt Template

Scan the [PACKAGE_MANAGER] project in [PROJECT_DIRECTORY] for malicious open source packages using Vet. Flag any packages with [SPECIFIC_RISK_LEVEL] or higher severity. Provide a detailed report including package names, versions, risk scores, and recommended remediation steps. Focus on dependencies that are [DIRECT_DEPENDENCIES/INDIRECT_DEPENDENCIES] and highlight any packages with known vulnerabilities from sources like [NVD/CVE_DATABASE].

Example Output

## Vet Security Scan Report for Acme Corp - E-Commerce Platform
Generated: 2024-05-15 | Scan Duration: 2m 47s

### 🚨 CRITICAL FINDINGS (3 packages)
1. **package: `lodash@4.17.21`** (Direct Dependency)
   - Risk Score: 9.8/10 (NVD: CVE-2021-23337)
   - Vulnerability: Prototype Pollution in `zipObjectDeep` function
   - Impact: Remote code execution possible in Node.js environments
   - Remediation: Upgrade to `lodash@4.17.22` or higher

2. **package: `axios@0.21.1`** (Transitive Dependency via `api-client@2.3.0`)
   - Risk Score: 8.9/10 (NVD: CVE-2021-3749)
   - Vulnerability: SSRF via improper input validation
   - Impact: Internal network access possible from external requests
   - Remediation: Pin to `axios@0.21.4` or implement network segmentation

3. **package: `event-stream@3.3.6`** (Indirect Dependency via `logger@1.0.0`)
   - Risk Score: 7.5/10 (GitHub Advisory)
   - Vulnerability: Malicious code injection in `flatmap-stream` sub-dependency
   - Impact: Supply chain attack vector
   - Remediation: Remove `event-stream` or replace with `winston@3.8.2`

### ⚠️ HIGH RISK (2 packages)
- `hoek@4.2.1` (Risk: 7.2/10) - CVE-2021-21252 (Prototype Pollution)
- `serialize-javascript@3.1.0` (Risk: 6.8/10) - CVE-2020-7721 (XSS via eval)

### ✅ CLEAN (12 packages)
No vulnerabilities detected in: express@4.18.2, body-parser@1.20.2, cors@2.8.5, etc.

### Recommended Actions
1. Run `npm audit fix --force` to auto-update critical packages
2. Implement dependency allowlisting for new packages
3. Configure Vet as a pre-commit hook in CI/CD pipeline
4. Schedule weekly automated scans with Slack notifications to #security-alerts