Eliminating SCA Noise using Dependency Usage Evidence
Table of Contents
A 3rd party dependency may be referenced in a package manifest such as requirements.txt or package-lock.json but not actually used in code. Vulnerabilities or other risks in such packages are not useful. Most SCA tools today lack the code context information preventing them from distinguishing between dependencies that are actually used in the codebase and those that are not. SafeDep Code Analysis framework augments vet, our free and open source tool with code context. This allows us to eliminate false positives and noise by considering the actual usage of a dependency in the codebase. In this article, we will look at how we can use dependency usage evidence to eliminate noise in SCA.
Getting Started
Ensure you have vet 1.9.2+ installed in your system. For help with installation, refer to the vet Installation Guide.
Create Code Analysis Database
Analyse your code base to create a code analysis database:
vet code scan --app /path/to/code --db /tmp/code.dbRun vet Scan with Code Analysis Database
Run vet scan with code analysis database to augment vet results with code context information:
vet scan -D /path/to/repository --code /tmp/code.dbDemo
- sca
- nextgen-sca
- code-analysis
- guide
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering

Malicious npm Packages Impersonating Hyatt Internal Dependencies
Three malicious npm packages disguised as Hyatt internal dependencies were discovered using install hooks to execute malicious payloads. All packages share identical attack patterns and...

Ship Code. Not Malware. SafeDep Launches GitHub App for Malicious Package Protection
SafeDep launches a GitHub App for zero-configuration protection against malicious open source packages. Instantly scan pull requests and keep your code repositories safe from supply chain attacks.

Contributing to SafeDep Open Source Projects during Hacktoberfest 2025
Learn how to contribute to SafeDep open source projects during Hacktoberfest 2025 and help secure the open source software supply chain.

Shai-Hulud Supply Chain Attack Incident Response
The Shai-Hulud supply chain attack is a major incident targeting developers through malicious packages in the npm ecosystem. This post outlines the incident response steps that can be taken to...

Ship Code
Not Malware
Install the SafeDep GitHub App to keep malicious packages out of your repos.
