SQL Query Interface over SBOM using SafeDep Cloud
Table of Contents
Developer experience is often specialized. Apart from providing domain specific use-cases, ease of getting started and ample documentation, flexibility of use especially with custom integration is important. This allows developer and security engineers, who are often subject matter experts to use a solution as per their requirement instead of compromising and following the workflows enforced by the product. This is a key focus at SafeDep in our product development efforts. We want to provide the best experience to security and platform engineers in protecting themselves against malicious, vulnerable and risky open source components.
To enable this, we shipped a key building block required to find what you need. Instead of being restricted by UI and Tables, engineers can use their familiar SQL query language to find and export security risk related information from SafeDep Cloud. Here is a quick #build-in-public
demo of this feature.
Example
Let’s find all the repositories on-boarded into SafeDep Cloud using vet
vet cloud query execute --sql \ "select projects.name, projects.version from projects"
This produces
Query returned 3 results┌───────────────────────────────────────────┬──────────────────┐│ PROJECTS.NAME │ PROJECTS.VERSION │├───────────────────────────────────────────┼──────────────────┤│ https://github.com/safedep/vet .git │ main │├───────────────────────────────────────────┼──────────────────┤│ https://github.com/safedep/api.git │ main │├───────────────────────────────────────────┼──────────────────┤│ https://github.com/safedep/control.git │ main │└───────────────────────────────────────────┴──────────────────┘
Leaking private repositories :-O
You can also use complex queries to filter across an organization wide SBOM
select vulnerabilities.cve_id, vulnerabilities.summary from projects where projects.name = 'safedep/demo-client-java' and projects.version = 'v1.2.3' and vulnerabilities.risk = 'CRITICAL'
Queries can be exported to file as CSV or Markdown
vet cloud query --sql $SQL --csv /path/to/out.csv
Build in Public Update
If you like what you see so far, check out a development walkthrough of what we are building at #SafeDep
SafeDep Cloud is currently at invite-only preview stage. You can register and get invited to our early adopter program.
Register for SafeDep Cloud
Leverage the power of SafeDep cloud to build an organization wide SBOM, export as CycloneDX and execute flexible queries to discover actionable risks.
- vet
- sbom
- sql
- cloud
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering

Contributing to SafeDep Open Source Projects during Hacktoberfest 2025
Learn how to contribute to SafeDep open source projects during Hacktoberfest 2025 and help secure the open source software supply chain.

Shai-Hulud Supply Chain Attack Incident Response
The Shai-Hulud supply chain attack is a major incident targeting developers through malicious packages in the npm ecosystem. This post outlines the incident response steps that can be taken to...

Ship Code. Not Malware. SafeDep Launches GitHub App for Malicious Package Protection
SafeDep launches a GitHub App for zero-configuration protection against malicious open source packages. Instantly scan pull requests and keep your code repositories safe from supply chain attacks.

Diff-based SCA with AI is Broken — Real Examples from Pipfile.lock, yarn.lock, and Cargo.lock
Diff-based Software Composition Analysis (SCA) scanners in pull requests are prone to blind spots. By relying only on git diff data, they miss package context, suffer from nondeterministic...

Ship Code
Not Malware
Install the SafeDep GitHub App to keep malicious packages out of your repos.
