Contributing to SafeDep Open Source Projects during Hacktoberfest 2025

SafeDep Team
4 min read

Table of Contents

About Hacktoberfest

Hacktoberfest is an annual event that encourages developers to contribute to open source projects. The event is organized by DigitalOcean, GitHub, and other partners, and it takes place every year, during the month of October.

Who can contribute

Anyone can participate in Hacktoberfest. As an open source first company, SafeDep OSS projects are open to contributions from developers of all skill levels and backgrounds. However, as a company specializing in software supply chain security, we particularly encourage security researchers and professionals to contribute to our projects.

If you are a security engineer who wants to get familiar with developer workflows, or a developer who wants to learn more about security, this is a great opportunity to contribute to projects that focus on securing the open source software supply chain.

How to contribute

SafeDep open source projects are available in the following GitHub repositories. Do not forget to star the repositories you are interested in to receive updates and show your support.

ProjectDescriptionRepository
vetSwiss army knife for vetting open source packagesgithub.com/safedep/vet
pmgPackage manager guard against malicious packagesgithub.com/safedep/pmg
xbomGenerate XBOMs with static code analysisgithub.com/safedep/xbom

Here is how you can choose a project to contribute to.

  • If you are a security researcher, you can contribute to vet by adding new policies, ecosystem support etc.
  • If you are looking to improve developer security, look at pmg which is designed to protect developers from malicious packages.
  • If you are interested in static code analysis, look at xbom which uses a custom static code analysis engine and YAML based signatures to match code semantics.

Getting started is easy. Just follow these steps:

  • You must have a GitHub or Gitlab account and signed in to Hacktoberfest
  • Navigate to any of the repositories, such as https://github.com/safedep/vet
  • Look at issues section
  • If you are getting started, look for issues with the good first issue label
  • Add a comment to the issue you want to work on and request to be assigned
  • Raise a pull request with your changes
  • Go through the review process and get your PR merged

Once your PR is merged, your contribution will be counted towards Hacktoberfest. You can track your progress on the Hacktoberfest dashboard.

Interesting use-cases

Securing AI Code Generation

vet supports an embedded MCP server that integrates with AI IDEs and coding agents such as Cursor, Claude Code. You can contribute by testing the integration with various coding agents, adding new tools that helps developers to write secure code, prevent vulnerable and malicious open source packages from being used in the generated code. Here is a demo of how it works with Claude Code.

Play

You can find more information about this integration in the docs. See the open issues for open items, ideas and feature requests.

Improve PMG

pmg acts as a security wrapper for popular package managers such as npm, pnpm etc. You can contribute by adding support for new package managers, improving the developer experience, adding new features such as rule engine, offline database etc. See the open issues for more details. Here is a demo of how it works.

Play

Add Language Rules for xBOM

xbom generates XBOMs using static code analysis. You can contribute by adding support for new programming languages, improving the static code analysis engine, adding new features such as integration with SCA tools, CI/CD pipelines etc. See the open issues for more details. Here is a demo of how it works.

Play

Community and Support

SafeDep has an active community of developers and security researchers who are passionate about securing the open source software supply chain. You can join the SafeDep Community Discord to discuss SafeDep projects, get help, and share your ideas.

License

All SafeDep open source projects are licensed under the Apache 2.0 License. This means, you can use, modify, and distribute the code freely, including for your personal or commercial projects.

  • hacktoberfest
  • oss
  • vet
  • pmg
  • xbom

Author

SafeDep Logo

SafeDep Team

safedep.io

Share

The Latest from SafeDep blogs

Follow for the latest updates and insights on open source security & engineering

Background
SafeDep Logo

Ship Code

Not Malware

Install the SafeDep GitHub App to keep malicious packages out of your repos.

GitHub Install GitHub App