SafeDep Vet MCP

1.1kSTDIOregistry active

Summary

This server brings SafeDep's package security scanning directly into Claude and MCP-compatible IDEs. It exposes vet's malware detection and vulnerability analysis capabilities, letting you scan dependencies for malicious code, check packages against known threat databases, and validate licenses or OpenSSF Scorecard thresholds before you commit. The malware detection catches zero-day threats through behavioral analysis, while the policy engine uses CEL expressions to enforce security rules. Reach for this when you want real-time supply chain protection in your AI workflow, whether you're reviewing package.json files, inspecting GitHub Actions, or evaluating dependencies before merging. Works with npm, PyPI, Maven, Go, Rust, and container images. Free for open source projects with optional SafeDep Cloud integration.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Quick Start • Documentation • Community

[!NOTE] vet supports special mode for Agent Skills. Run vet scan --agent-skill <owner/repo> to scan an Agent Skill hosted in a GitHub repository.

Why vet?

70-90% of modern software is open source code — how do you know it's safe?

Traditional SCA tools drown you in CVE noise. vet takes a different approach:

Shadow AI discovery — Discover AI tool usage signals across various tools and configurations
Catch malware before it ships — Zero-day detection through static and dynamic behavioral analysis (requires SafeDep Cloud access)
Cut through vulnerability noise — Analyzes actual code usage to surface only the risks that matter
Enforce policy as code — Express security, license, and quality requirements as CEL expressions
CI/CD integration — Zero-config security guardrails in CI/CD

Free for open source. Hosted SaaS available at SafeDep.

Quick Start

Install in seconds:

# macOS & Linux
brew install safedep/tap/vet

# Using npm
npm install -g @safedep/vet

or download a pre-built binary

Get started immediately:

# Scan for malware in your dependencies
vet scan -D . --malware-query

# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail

# Get API key for advanced malware detection
vet cloud quickstart

Architecture

vet follows a pipeline architecture: readers ingest package manifests from diverse sources (directories, repositories, container images, SBOMs), enrichers augment each package with vulnerability, malware, and scorecard data from SafeDep Cloud, the CEL policy engine evaluates security policies against enriched data, and reporters produce actionable output in formats like SARIF, JSON, and Markdown.

View architecture diagram

graph TB
    subgraph "OSS Ecosystem"
        R1[npm Registry]
        R2[PyPI Registry]
        R3[Maven Central]
        R4[Other Registries]
    end

    subgraph "SafeDep Cloud"
        M[Continuous Monitoring]
        A[Real-time Code Analysis<br/>Malware Detection]
        T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard]
    end

    subgraph "vet CLI"
        S[Source Repository<br/>Scanner]
        P[CEL Policy Engine]
        O[Reports & Actions<br/>SARIF/JSON/CSV]
    end

    R1 -->|New Packages| M
    R2 -->|New Packages| M
    R3 -->|New Packages| M
    R4 -->|New Packages| M
    M -->|Behavioral Analysis| A
    A -->|Malware Signals| T

    S -->|Query Package Info| T
    T -->|Security Intelligence| S
    S -->|Analysis Results| P
    P -->|Policy Decisions| O

    style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
    style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
    style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
    style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
    style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
    style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a

Key Features

Malicious Package Detection

Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.

Vulnerability Analysis

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for details.

Policy as Code

Define security policies using CEL expressions to enforce context specific requirements:

# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail

# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail

# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail

Multi-Ecosystem Support

Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP Container images: Docker, OCI SBOM formats: CycloneDX, SPDX Source repositories: GitHub, GitLab

Malicious Package Detection

Real-time protection against malicious packages with active scanning and behavioral analysis.

Quick Setup

# One-time setup for advanced scanning
vet cloud quickstart

# Scan for malware with active scanning (requires API key)
vet scan -D . --malware

# Query known malicious packages (no API key needed)
vet scan -D . --malware-query

Example detections:

Key security features:

Real-time analysis against known malware databases
Behavioral analysis using static and dynamic analysis
Zero-day protection through active code scanning
Human-in-the-loop triaging for high-impact findings
Public analysis log for transparency

Advanced Usage

# Specialized scans
vet scan --vsx --malware                    # VS Code extensions
vet scan -D .github/workflows --malware     # GitHub Actions
vet scan --image nats:2.10 --malware        # Container images

# Analyze specific packages
vet inspect malware --purl pkg:npm/nyc-config@10.0.0

Production Ready Integrations

GitHub Actions

Zero-config security guardrails in CI/CD:

- uses: safedep/vet-action@v1
  with:
    policy: ".github/vet/policy.yml"

See vet-action documentation.

GitLab CI

Enterprise scanning with vet CI Component:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@main

Container Integration

Run vet anywhere using our container image:

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware

Installation

Homebrew (Recommended)

brew install safedep/tap/vet

npm

npm install @safedep/vet

Direct Download

See releases for pre-built binaries.

Go Install

go install github.com/safedep/vet@latest

Container Image

# Quick test
docker run --rm ghcr.io/safedep/vet:latest version

# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

Verify Installation

vet version
# Should display version and build information

Advanced Features

Learn more in our comprehensive documentation:

AI Usage Discovery - Discover AI tool usage signals across various tools and configurations
AI Agent Mode - Run vet as an AI agent
MCP Server - Run vet as an MCP server for AI-assisted code analysis
Reporting - SARIF, JSON, CSV, HTML, Markdown formats
SBOM Support - CycloneDX, SPDX import/export
Query Mode - Scan once, analyze multiple times
GitHub Integration - Repository and organization scanning
GitHub Actions Pinning - Pin GitHub Actions to commit SHAs to prevent supply chain attacks

Privacy

vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.

# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true

Community & Support

Join the Community

Get Help & Share Ideas

Interactive Tutorial - Learn vet hands-on
Complete Documentation - Comprehensive guides
Discord Community - Real-time support
Issue Tracker - Bug reports & feature requests
Contributing Guide - Join the development

Star History

Built With Open Source

vet stands on the shoulders of giants:

OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft

Contributors

Thank you to all contributors ❤️

Secure your supply chain today. Star the repo and get started!

Created with love by SafeDep and the open source community

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Registryactive

Packageghcr.io/safedep/vet:v1.17.3

TransportSTDIO

UpdatedMay 30, 2026

View on GitHub

Quick Start • Documentation • Community

[!NOTE] vet supports special mode for Agent Skills. Run vet scan --agent-skill <owner/repo> to scan an Agent Skill hosted in a GitHub repository.

Why vet?

70-90% of modern software is open source code — how do you know it's safe?

Traditional SCA tools drown you in CVE noise. vet takes a different approach:

Shadow AI discovery — Discover AI tool usage signals across various tools and configurations
Catch malware before it ships — Zero-day detection through static and dynamic behavioral analysis (requires SafeDep Cloud access)
Cut through vulnerability noise — Analyzes actual code usage to surface only the risks that matter
Enforce policy as code — Express security, license, and quality requirements as CEL expressions
CI/CD integration — Zero-config security guardrails in CI/CD

Free for open source. Hosted SaaS available at SafeDep.

Quick Start

Install in seconds:

# macOS & Linux
brew install safedep/tap/vet

# Using npm
npm install -g @safedep/vet

or download a pre-built binary

Get started immediately:

# Scan for malware in your dependencies
vet scan -D . --malware-query

# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail

# Get API key for advanced malware detection
vet cloud quickstart

Architecture

View architecture diagram

graph TB
    subgraph "OSS Ecosystem"
        R1[npm Registry]
        R2[PyPI Registry]
        R3[Maven Central]
        R4[Other Registries]
    end

    subgraph "SafeDep Cloud"
        M[Continuous Monitoring]
        A[Real-time Code Analysis<br/>Malware Detection]
        T[Threat Intelligence DB<br/>Vulnerabilities • Malware • Scorecard]
    end

    subgraph "vet CLI"
        S[Source Repository<br/>Scanner]
        P[CEL Policy Engine]
        O[Reports & Actions<br/>SARIF/JSON/CSV]
    end

    R1 -->|New Packages| M
    R2 -->|New Packages| M
    R3 -->|New Packages| M
    R4 -->|New Packages| M
    M -->|Behavioral Analysis| A
    A -->|Malware Signals| T

    S -->|Query Package Info| T
    T -->|Security Intelligence| S
    S -->|Analysis Results| P
    P -->|Policy Decisions| O

    style M fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
    style A fill:#E8A87C,stroke:#B88A5A,color:#1a1a1a
    style T fill:#7CB9E8,stroke:#5A8DB8,color:#1a1a1a
    style S fill:#90C695,stroke:#6B9870,color:#1a1a1a
    style P fill:#E8C47C,stroke:#B89B5A,color:#1a1a1a
    style O fill:#B8A3D4,stroke:#9478AA,color:#1a1a1a

Key Features

Malicious Package Detection

Real-time protection against malicious packages powered by SafeDep Cloud. Free for open source projects. Detects zero-day malware through active code analysis.

Vulnerability Analysis

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for details.

Policy as Code

Define security policies using CEL expressions to enforce context specific requirements:

# Block packages with critical CVEs
vet scan --filter 'vulns.critical.exists(p, true)' --filter-fail

# Enforce license compliance
vet scan --filter 'licenses.contains_license("GPL-3.0")' --filter-fail

# Require minimum OpenSSF Scorecard scores
vet scan --filter 'scorecard.scores.Maintained < 5' --filter-fail

Multi-Ecosystem Support

Package managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP Container images: Docker, OCI SBOM formats: CycloneDX, SPDX Source repositories: GitHub, GitLab

Malicious Package Detection

Real-time protection against malicious packages with active scanning and behavioral analysis.

Quick Setup

# One-time setup for advanced scanning
vet cloud quickstart

# Scan for malware with active scanning (requires API key)
vet scan -D . --malware

# Query known malicious packages (no API key needed)
vet scan -D . --malware-query

Example detections:

Key security features:

Real-time analysis against known malware databases
Behavioral analysis using static and dynamic analysis
Zero-day protection through active code scanning
Human-in-the-loop triaging for high-impact findings
Public analysis log for transparency

Advanced Usage

# Specialized scans
vet scan --vsx --malware                    # VS Code extensions
vet scan -D .github/workflows --malware     # GitHub Actions
vet scan --image nats:2.10 --malware        # Container images

# Analyze specific packages
vet inspect malware --purl pkg:npm/nyc-config@10.0.0

Production Ready Integrations

GitHub Actions

Zero-config security guardrails in CI/CD:

- uses: safedep/vet-action@v1
  with:
    policy: ".github/vet/policy.yml"

See vet-action documentation.

GitLab CI

Enterprise scanning with vet CI Component:

include:
  - component: gitlab.com/safedep/ci-components/vet/scan@main

Container Integration

Run vet anywhere using our container image:

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app --malware

Installation

Homebrew (Recommended)

brew install safedep/tap/vet

npm

npm install @safedep/vet

Direct Download

See releases for pre-built binaries.

Go Install

go install github.com/safedep/vet@latest

Container Image

# Quick test
docker run --rm ghcr.io/safedep/vet:latest version

# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

Verify Installation

vet version
# Should display version and build information

Advanced Features

Learn more in our comprehensive documentation:

AI Usage Discovery - Discover AI tool usage signals across various tools and configurations
AI Agent Mode - Run vet as an AI agent
MCP Server - Run vet as an MCP server for AI-assisted code analysis
Reporting - SARIF, JSON, CSV, HTML, Markdown formats
SBOM Support - CycloneDX, SPDX import/export
Query Mode - Scan once, analyze multiple times
GitHub Integration - Repository and organization scanning
GitHub Actions Pinning - Pin GitHub Actions to commit SHAs to prevent supply chain attacks

Privacy

vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.

# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true

Community & Support

Join the Community

Get Help & Share Ideas

Interactive Tutorial - Learn vet hands-on
Complete Documentation - Comprehensive guides
Discord Community - Real-time support
Issue Tracker - Bug reports & feature requests
Contributing Guide - Join the development

Star History

Built With Open Source

vet stands on the shoulders of giants:

OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft

Contributors

Thank you to all contributors ❤️

Secure your supply chain today. Star the repo and get started!

Created with love by SafeDep and the open source community