#vet OSS with #SafeDep

Safe and Trusted OSS for Security Engineering Teams

SafeDep helps security engineering teams build policy driven guardrails against risky OSS components. Ship faster by leveraging OSS .. without the inherited risks.

SafeDep Product Concept

Loved by Security Engineers

Our open source project vet is used by security and engineering teams to automate policy driven vetting of OSS dependencies in CI/CD.

26K+
Container Downloads
200+
GitHub Stars

Integrations and Support

SafeDep integrates seamlessly with popular CI/CD platforms including GitHub Actions, GitLab CI, Jenkins, and more. Supports wide range of ecosystems

GitHub
Gitlab
Jenkins
Docker
NPM
Ruby
Java
Golang
Python

Developer First

SafeDep help security engineering teams rollout an OSS governance and risk mitigation program. Leverage policy as code to enforce your opinionated security guardrails within your developer platform without friction.

Seamless Deployment

Easily deploy using GitHub Action, GitLab CI, Jenkins, or any other CI/CD platform of your choice.

Continuous Inventory

Continuously build SBOM, CBOM, SaaSBOM to maintain a fresh inventory of OSS components.

Identify OSS Risks

Identify risky OSS components using codified definition of contextual risk for your organization.

Policy as Code

Automate organizational OSS policy as code to enforce security guardrails.

Stay Compliant

Block risky OSS components from being introduced in code while maintaining operational control.

Malware Protection

Protect against malicious OSS components, typosquatting, and supply chain attacks.

Frequently Asked Questions

What is Software Composition Analysis (SCA)?

SCA is the process of identifying various components that make up a software artifact. Typically SCA tools identify OSS dependencies and their vulnerabilities by matching versions against known vulnerabilities. SCA tools are known to be noisy and inefficient due to lack of contextual risk identification. Next-gen SCA tools attempt to eliminate noise through reachability analysis.

Do I need proactive guardrails against risky OSS components?

You need proactive guardrails against risky OSS components. Fixing risky OSS components typically involves upgrading to a patched version when available or migrating to a safer dependency. This is notoriously hard in large codebases. Hence proactive guardrails must be put in place to ensure unmaintained or untrustworthy OSS dependencies are not introduced in the first place.

How is SafeDep different from conventional SCA?

SafeDep aggregates OSS security metadata and determines safety of OSS components not just based on vulnerabilities but also on other important attributes such as licensing, popularity, OpenSSF scorecard, malicious intent, and more. SafeDep also provides policy as code to enforce your opinionated security guardrails.

What if a critical vulnerability found in an unmaintained OSS dependency?

You will have to analyse and fix the vulnerability in-house. Alternatively, SafeDep can help you provide a patched and backward compatible version of OSS package mitigating critical vulnerabilities.

How do I deploy vet and SafeDep Cloud?

vet is free and open source. You can get started for free. SafeDep helps deploy, manage and operate vet at scale, across 1000+ repositories. SafeDep is a multi-tenant cloud service. However, it can also be self-hosted on-premises for meeting compliance requirements

Why is SafeDep "developer first"?

We believe the future of cyber security is close collaboration between security and engineering teams. These teams are likely to build organization and platform specific security solutions. SafeDep intends to help security engineering teams to achieve safe and trusted OSS guarantees for their internal developer platform.

Protect against OSS Attacks

Rollout a developer first OSS governance and risk mitigation program. Leverage policy as code to enforce your opinionated security guardrails.