Malicious code in open sources is real and people get hacked due to it as we have seen with changed-files incident, ultralytics hack and multiple such incidents. vet now supports identification of malicious OSS packages through active code analysis.
🚀 Getting Started
- Install vet
brew tap safedep/tap
brew install safedep/tap/vetFor other installation methods, refer to README.md
- Onboard to SafeDep Cloud to use the code analysis infrastructure using
vet
vet cloud quickstart🐞 Malicious Package Scanning
- Scan a single package
vet inspect malware --purl pkg:/npm/[email protected]- Scan a repository with auto-discovered packages
vet scan -D /path/to/repo --malware🔍 Supported Ecosystems
| Ecosystem | Support |
|---|---|
| Javascript (npm) | ✅ |
| Python (pypi) | ✅ |
| Java (Maven) | ❌ |
| Go (modules) | ✅ |
| Rust (crates.io) | ❌ |
| Ruby (rubygems) | ✅ |
➡️ Raise an issue to request an ecosystem to be prioritised