Skip to main content
This is the official documentation website for safedep.io. Here you will find everything you need to know about using SafeDep’s open source tools and SafeDep Cloud to safeguard your applications against open source software supply chain risks.

Why Open Source Security Matters

Did you know? It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions.
With this level of dependency on open source, security teams need automated tools to safely consume OSS components without slowing down development velocity. In 2026, open source usage is no longer limited to libraries. Adoption of Agent Skills and community projects like Clawhub has extended open source software supply chain security risks to AI Agents.

Open Source First

SafeDep is built on the belief that security tools should be free, transparent, and accessible to everyone. Our core mission is to provide the security community with powerful open source tools that protect applications from supply chain threats. Our Open Source Tools:
  • vet - Supply chain security analysis for CI/CD pipelines
  • pmg - Protect developers from malicious open source packages
  • xBom - SBOM enriched with AI, Crypto and other metadata using static code analysis
  • gryph - Audit trail for AI coding agents
These tools are completely free and built in public with community involvement. They operate independently and can be used without any commercial relationship with SafeDep.

How SafeDep Works

SafeDep is a cloud platform for end-end open source software supply chain security. At its core, SafeDep builds and operates a large scale malicious package scanning infrastructure for real-time analysis of open source packages. SafeDep open source tools are free to use and can be used independently of SafeDep Cloud. However, SafeDep provides a zero-friction, unified platform experience for security teams to manage open source software supply chain risks across their entire SDLC. Start for free. Expand to SafeDep for a unified platform experience. See pricing.

Malicious Package Protection

SafeDep continuously scans open source packages for malicious code using a combination of static and dynamic analysis. Suspicious packages are verified by security experts to confirm malicious behavior. Both our open source tools and SafeDep Cloud leverage this malicious package detection capability to provide comprehensive protection against open source software supply chain risks.
The diagram below shows how SafeDep works to protect your open source software supply chain against malicious packages.

What’s Next?

github-app

Install SafeDep GitHub App

Protect your GitHub repositories against malicious open source packages
vet-cta

Quick Start with vet

Start identifying OSS risks using our free, open-source tool
integration-cta

Integration Guides

Integrate with GitHub, GitLab, and other CI/CD platforms
community

Join Community

Connect with other security engineers and get support