Created and maintained by https://safedep.io with contributions from the community 🚀
GitHub Action for integrating vet in your workflow. Provides active protection against vulnerable, outdated, unpopular and malicious OSS dependencies using policy as code based guardrails.
Follow setup instructions for step by step guide on how to integrate
vetin your GitHub repository with customizable policies
Follow quickstart if you want to integrate
vetas a step in your existing GitHub actions workflow
TLDR; add this GitHub action to vet your changed dependencies during pull request
- name: Run vet
id: vet
permissions:
contents: read
issues: write
pull-requests: write
uses: safedep/vet-action@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}The output of vet-action is a SARIF
report that can be uploaded to GitHub Code Scanning
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.vet.outputs.report }}
category: vetFollow this instruction to integrate
vetas a GitHub action in your GitHub repository
- Go to the root directory of your GitHub repository
- Create the workflow and policy directory
mkdir -p .github/workflows .github/vet- Download the policy file into the policy directory
curl -o .github/vet/policy.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/policy.yml- Download
vetGitHub Action workflow
curl -o .github/workflows/vet-ci.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/vet-ci.yml- Review the policy file in
.github/vet/policy.ymland edit as required - Push / PR your changes into the repository
vet-action provides integration with SafeDep Cloud.
By leveraging SafeDep Cloud, vet and vet-action provides additional services such
as Malicious Package Analysis.
To use SafeDep Cloud integration, you need
- SafeDep Cloud Tenant Domain
- SafeDep Cloud API Key
Refer to SafeDep Cloud Quickstart guide on getting the required information for activating cloud integration.
vet-action accepts following additional configuration for customizing how
vet is invoked during scan
| GitHub Action Input | Example Value | Notes |
|---|---|---|
policy |
policies/sample.yml |
Path to vet YAML policy file (filter suite) |
exception-file |
config/exceptions.yml |
Path to vet exception YAML file |
trusted-registries |
https://r1.org, https://r2.org |
, separated string of registry base URLs |
timeout |
300 |
Max time in seconds to wait for external services |
cloud |
true |
Enable integration with SafeDep Cloud |
cloud-tenant |
default-team.example-org.safedep.io |
SafeDep Cloud Tenant Domain |
cloud-key |
sfd_xxxx |
SafeDep Cloud API Key |
- Refer to vet policy as code for details on
policyformat - Refer to vet exceptions for details on
exception-fileformat
- Raise issues related to GitHub Action at https://github.com/safedep/vet-action/issues
- Raise issues related to
vettool at https://github.com/safedep/vet/issues
Refer to development documentation