Contributing to SafeDep Open Source Projects during Hacktoberfest 2025
Table of Contents
About Hacktoberfest
Hacktoberfest is an annual event that encourages developers to contribute to open source projects. The event is organized by DigitalOcean, GitHub, and other partners, and it takes place every year, during the month of October.
Who can contribute
Anyone can participate in Hacktoberfest. As an open source first company, SafeDep OSS projects are open to contributions from developers of all skill levels and backgrounds. However, as a company specializing in software supply chain security, we particularly encourage security researchers and professionals to contribute to our projects.
If you are a security engineer who wants to get familiar with developer workflows, or a developer who wants to learn more about security, this is a great opportunity to contribute to projects that focus on securing the open source software supply chain.
How to contribute
SafeDep open source projects are available in the following GitHub repositories. Do not forget to star the repositories you are interested in to receive updates and show your support.
Project | Description | Repository |
---|---|---|
vet | Swiss army knife for vetting open source packages | github.com/safedep/vet |
pmg | Package manager guard against malicious packages | github.com/safedep/pmg |
xbom | Generate XBOMs with static code analysis | github.com/safedep/xbom |
Here is how you can choose a project to contribute to.
- If you are a security researcher, you can contribute to
vet
by adding new policies, ecosystem support etc. - If you are looking to improve developer security, look at
pmg
which is designed to protect developers from malicious packages. - If you are interested in static code analysis, look at
xbom
which uses a custom static code analysis engine and YAML based signatures to match code semantics.
Getting started is easy. Just follow these steps:
- You must have a GitHub or Gitlab account and signed in to Hacktoberfest
- Navigate to any of the repositories, such as https://github.com/safedep/vet
- Look at issues section
- If you are getting started, look for issues with the
good first issue
label - Add a comment to the issue you want to work on and request to be assigned
- Raise a pull request with your changes
- Go through the review process and get your PR merged
Once your PR is merged, your contribution will be counted towards Hacktoberfest. You can track your progress on the Hacktoberfest dashboard.
Interesting use-cases
Securing AI Code Generation
vet supports an embedded MCP server that integrates with AI IDEs and coding agents such as Cursor, Claude Code. You can contribute by testing the integration with various coding agents, adding new tools that helps developers to write secure code, prevent vulnerable and malicious open source packages from being used in the generated code. Here is a demo of how it works with Claude Code.
You can find more information about this integration in the docs. See the open issues for open items, ideas and feature requests.
Improve PMG
pmg acts as a security wrapper for popular package managers such as npm, pnpm etc. You can contribute by adding support for new package managers, improving the developer experience, adding new features such as rule engine, offline database etc. See the open issues for more details. Here is a demo of how it works.
Add Language Rules for xBOM
xbom generates XBOMs using static code analysis. You can contribute by adding support for new programming languages, improving the static code analysis engine, adding new features such as integration with SCA tools, CI/CD pipelines etc. See the open issues for more details. Here is a demo of how it works.
Community and Support
SafeDep has an active community of developers and security researchers who are passionate about securing the open source software supply chain. You can join the SafeDep Community Discord to discuss SafeDep projects, get help, and share your ideas.
License
All SafeDep open source projects are licensed under the Apache 2.0 License. This means, you can use, modify, and distribute the code freely, including for your personal or commercial projects.
- hacktoberfest
- oss
- vet
- pmg
- xbom
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering

Ship Code. Not Malware. SafeDep Launches GitHub App for Malicious Package Protection
SafeDep launches a GitHub App for zero-configuration protection against malicious open source packages. Instantly scan pull requests and keep your code repositories safe from supply chain attacks.

Diff-based SCA with AI is Broken — Real Examples from Pipfile.lock, yarn.lock, and Cargo.lock
Diff-based Software Composition Analysis (SCA) scanners in pull requests are prone to blind spots. By relying only on git diff data, they miss package context, suffer from nondeterministic...

Shai-Hulud Supply Chain Attack Incident Response
The Shai-Hulud supply chain attack is a major incident targeting developers through malicious packages in the npm ecosystem. This post outlines the incident response steps that can be taken to...

npm Supply Chain Attack Exposes Private Repositories, AWS Credentials and More
npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm...

Ship Code
Not Malware
Install the SafeDep GitHub App to keep malicious packages out of your repos.
