#vet OSS with #SafeDep
Safe and Trusted OSS for Security Engineering Teams
SafeDep helps security engineering teams build policy driven guardrails against risky OSS components. Ship faster by leveraging OSS .. without the inherited risks.
Loved by Security Engineers
Our open source project vet is used by security and engineering teams to automate policy driven vetting of OSS dependencies in CI/CD.
Integrations and Support
SafeDep integrates seamlessly with popular CI/CD platforms including GitHub Actions, GitLab CI, Jenkins, and more. Supports wide range of ecosystems
Developer First
SafeDep help security engineering teams rollout an OSS governance and risk mitigation program. Leverage policy as code to enforce your opinionated security guardrails within your developer platform without friction.
Seamless Deployment
Easily deploy using GitHub Action, GitLab CI, Jenkins, or any other CI/CD platform of your choice.
Continuous Inventory
Continuously build SBOM, CBOM, SaaSBOM to maintain a fresh inventory of OSS components.
Identify OSS Risks
Identify risky OSS components using codified definition of contextual risk for your organization.
Policy as Code
Automate organizational OSS policy as code to enforce security guardrails.
Stay Compliant
Block risky OSS components from being introduced in code while maintaining operational control.
Malware Protection
Protect against malicious OSS components, typosquatting, and supply chain attacks.
Frequently Asked Questions
What is Software Composition Analysis (SCA)?
SCA is the process of identifying various components that make up a software artifact. Typically SCA tools identify OSS dependencies and their vulnerabilities by matching versions against known vulnerabilities. SCA tools are known to be noisy and inefficient due to lack of contextual risk identification. Next-gen SCA tools attempt to eliminate noise through reachability analysis.
Do I need proactive guardrails against risky OSS components?
You need proactive guardrails against risky OSS components. Fixing risky OSS components typically involves upgrading to a patched version when available or migrating to a safer dependency. This is notoriously hard in large codebases. Hence proactive guardrails must be put in place to ensure unmaintained or untrustworthy OSS dependencies are not introduced in the first place.
How is SafeDep different from conventional SCA?
SafeDep aggregates OSS security metadata and determines safety of OSS components not just based on vulnerabilities but also on other important attributes such as licensing, popularity, OpenSSF scorecard, malicious intent, and more. SafeDep also provides policy as code to enforce your opinionated security guardrails.
What if a critical vulnerability found in an unmaintained OSS dependency?
You will have to analyse and fix the vulnerability in-house. Alternatively, SafeDep can help you provide a patched and backward compatible version of OSS package mitigating critical vulnerabilities.
How do I deploy vet and SafeDep Cloud?
vet is free and open source. You can get started for free. SafeDep helps deploy, manage and operate vet at scale, across 1000+ repositories. SafeDep is a multi-tenant cloud service. However, it can also be self-hosted on-premises for meeting compliance requirements
Why is SafeDep "developer first"?
We believe the future of cyber security is close collaboration between security and engineering teams. These teams are likely to build organization and platform specific security solutions. SafeDep intends to help security engineering teams to achieve safe and trusted OSS guarantees for their internal developer platform.
Protect against OSS Attacks
Rollout a developer first OSS governance and risk mitigation program. Leverage policy as code to enforce your opinionated security guardrails.