Home

Awesome

vet GitHub Action

vet is a tool for finding security risks in OSS components. For more details, refer to vet GitHub repository https://github.com/safedep/vet

Usage

Follow setup instructions for step by step guide on how to integrate vet in your GitHub repository with customizable policies

Quick Start

Follow quickstart if you want to integrate vet as a step in your existing GitHub actions workflow

TLDR; add this GitHub action to vet your changed dependencies during pull request

- name: Run vet
  id: vet
  permissions:
    contents: read
    issues: write
    pull-requests: write
  uses: safedep/vet-action@v1
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The output of vet-action is a SARIF report that can be uploaded to GitHub Code Scanning

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: ${{ steps.vet.outputs.report }}
    category: vet

Setup Instructions

Follow this instruction to integrate vet as a GitHub action in your GitHub repository

mkdir -p .github/workflows .github/vet

curl -o .github/vet/policy.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/policy.yml

curl -o .github/workflows/vet-ci.yml -L https://raw.githubusercontent.com/safedep/vet-action/main/example/vet-ci.yml

Configuration

vet-action accepts following additional configuration for customizing how vet is invoked during scan

<!-- markdownlint-disable MD013 -->
GitHub Action InputExample ValueNotes
policypolicies/sample.ymlPath to vet YAML policy file (filter suite)
exception-fileconfig/exceptions.ymlPath to vet exception YAML file
trusted-registrieshttps://r1.org, https://r2.org, separated string of registry base URLs
<!-- markdownlint-enable MD013 -->

Support

Development

Refer to development documentation