Hello Everyone 👋
Today we are super excited to release the SafeDep vet 🚀 to identify risks in Open Source dependencies and establish trust in open source software supply chain security.
vet is a tool for identifying risks in the open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies & evaluate them against organizational policies.
It has been estimated that Free and Open Source Software (FOSS) constitutes 70–90% of any given piece of modern software solutions.
Product security practices target software developed and deployed internally. They do not cover software consumed from external sources in form of libraries from the Open Source ecosystem. The growing risk of vulnerable, unmaintained, and malicious dependencies establishes the need for product security teams to vet 3rd party dependencies before consumption.
Here is the sneak peek demo of how you can get started right away!
vet solves a variety of use cases including scanning for open source dependency risks, transitive dependencies, maintenance of the library and the OpenSSF scorecard report information, and many more. More powers come to vet, when you want to leverage the power of filters, queries, and packs. We can leverage these features to create policies using CEL (Common Expression Language) to build security policies PaC (policy as code) as per your organizational standards and needs in an automated fashion in your CI/CD or your developer laptop.
SafeDep vet in action blocking insecure dependencies in the GitHub Actions as per OSS best practices policy
This is just the beginning for the SafeDep vet, our amazing roadmap looking very strong to build a community and ecosystem around open source supply chain security.
Here are some of the exciting things we are working on to solve the problems in Open Source world 🚀
There are many more cool things coming up soon, so make sure to give it a try to vet and provide your valuable feedback to build a secure open source ecosystem.
You can contribute in various ways to SafeDep vet. While we have tested several use cases, there are always interesting new uses that come up. If you feel like working on the service itself, we’re open to patches and contributions using standard GitHub development practices. We are always looking for amazing feedback about ideas, suggestions & improvements 🙌
Once again, thank you so much everyone for showing interest in the amazing project. Would love to hear your feedback and also spread the word with your friends, colleagues, and your audience by sharing on social media using the following links 🙏