Introducing SafeDep vet πŸš€

Madhu Akula β€’

SafeDep vet

Hello Everyone πŸ‘‹

Today we are super excited to release the SafeDep vet πŸš€ to identify risks in Open Source dependencies and establish trust in open source software supply chain security.

What is SafeDep vet?

vet is a tool for identifying risks in the open source software supply chain. It helps engineering and security teams to identify potential issues in their open source dependencies & evaluate them against organizational policies.

Why vet?

It has been estimated that Free and Open Source Software (FOSS) constitutes 70–90% of any given piece of modern software solutions.

Product security practices target software developed and deployed internally. They do not cover software consumed from external sources in form of libraries from the Open Source ecosystem. The growing risk of vulnerable, unmaintained, and malicious dependencies establishes the need for product security teams to vet 3rd party dependencies before consumption.

SafeDep vet Architecture

Get started with vet

Here is the sneak peek demo of how you can get started right away!

SafeDep vet demo

How can I use vet?

vet solves a variety of use cases including scanning for open source dependency risks, transitive dependencies, maintenance of the library and the OpenSSF scorecard report information, and many more. More powers come to vet, when you want to leverage the power of filters, queries, and packs. We can leverage these features to create policies using CEL (Common Expression Language) to build security policies PaC (policy as code) as per your organizational standards and needs in an automated fashion in your CI/CD or your developer laptop.

SafeDep GitHub Action SafeDep vet in action blocking insecure dependencies in the GitHub Actions as per OSS best practices policy

What’s the future look like for vet?

This is just the beginning for the SafeDep vet, our amazing roadmap looking very strong to build a community and ecosystem around open source supply chain security.

Here are some of the exciting things we are working on to solve the problems in Open Source world πŸš€

  1. Identifying the supply chain security risks in the open source libraries using the open ecosystem with validating them at a deeper level
  2. Common policy engine and hub for supply chain security for building the community to share & learn the standard policy as code
  3. Integration is a big piece given we use a lot of internal tools and systems. We are working heavily on integrating various tools & systems, including the open source & commercial solutions
  4. Build Systems, Continuous Integration & Delivery pipelines (GitHub Actions, GitLab CI/CD, Bitbucket pipelines, Jenkins, Travis CI, AWS CodeBuild, Argo, Flux, etc.)
  5. Artifactory & Registries, there is no question that companies should be leveraging the internal registries and Artifactory systems like JFrog, Nexus, Container Registry, etc.
  6. Developer Tooling: This is one of our biggest driving factors for even building SafeDep vet, we wanted to reduce the friction of developers always going to security teams and waiting for days and sometimes even months to minutes and even seconds.
  7. IDE (Integrated Development Environments), most developers use these tooling to write software. We would love to work on supporting VSCode, Vim, NeoVim, JetBrains IDEs, etc.
  8. Logging & Monitoring solutions. Most companies have various tools and technology dashboards and it’s painful for security teams to look at 10s and 100s of them. So we would love to integrate vet into the most common tooling like Elastic, DataDog, Splunk, etc. Including we wanted to give power to metrics systems like Grafana & Prometheus
  9. Most of the security folks try to talk about the shift-left and secure builds. We have seen real-world cases where it can even impact supply chain attacks after the builds. We wanted to support integrating into the Gateways & Service Meshes like Kong, Istio, Traefik, Linkerd, Cilium Mesh, etc.

There are many more cool things coming up soon, so make sure to give it a try to vet and provide your valuable feedback to build a secure open source ecosystem.

How Can I Contribute?

You can contribute in various ways to SafeDep vet. While we have tested several use cases, there are always interesting new uses that come up. If you feel like working on the service itself, we’re open to patches and contributions using standard GitHub development practices. We are always looking for amazing feedback about ideas, suggestions & improvements πŸ™Œ

Once again, thank you so much everyone for showing interest in the amazing project. Would love to hear your feedback and also spread the word with your friends, colleagues, and your audience by sharing on social media using the following links πŸ™

You can 😎 Follow, 🌟 Star, and πŸ”ΊUpvote us on the social media. Also you can join our amazing community at πŸ‘‹ Discord πŸ”₯

← Back to Blog