Scanning package manifests is resource-intensive as it involves enriching package metadata by querying the Insights API. However, filtering and reporting may be done multiple times on the same manifest. To speed up this process, you can dump enriched data as JSON and load it for subsequent filtering and reporting operations.

Query Workflow

The BYOQ workflow consists of two main phases:

1

Data Collection

Scan and enrich package data, then dump to JSON files for reuse

2

Analysis & Reporting

Load enriched data for fast filtering, querying, and report generation

Phase 1: Dump Enriched JSON Manifests

Collect and enrich package data, then save to a directory for reuse:

# Single manifest file
vet scan --lockfile /path/to/package-lock.json --json-dump-dir /tmp/dump

# Entire repository
vet scan -D /path/to/repository --json-dump-dir /tmp/dump-many

The JSON dump contains all enriched metadata including vulnerabilities, scorecard data, licenses, and project information.

Phase 2: Load and Query Enriched Metadata

Use the dumped data for fast filtering and reporting:

# Generate summary report
vet query --from /tmp/dump --report-summary

# Apply custom filters
vet query --from /tmp/dump --filter 'scorecard.scores.Maintained == 0'

Security Guardrails with Filters

Implement security guardrails in CI/CD pipelines using the --filter-fail argument, which causes the command to fail if any package matches the given filter.

Example: Fail Build on Unmaintained Packages

vet query --from /path/to/json-dump \
    --filter 'scorecard.scores.Maintained == 0' \
    --filter-fail

When packages match the filter criteria, the command exits with a non-zero status:

echo $?
# Output: 255

Advanced Query Examples

Multi-Criteria Security Checks

# Fail on critical vulnerabilities OR unmaintained packages
vet query --from /tmp/dump \
    --filter 'vulns.critical.size() > 0 || scorecard.scores.Maintained == 0' \
    --filter-fail

License Compliance Checks

# Find packages with non-approved licenses
vet query --from /tmp/dump \
    --filter '!licenses.exists(p, p in ["MIT", "Apache-2.0", "BSD-3-Clause"])' \
    --report-json compliance-violations.json

Risk Assessment Queries

# Find high-risk packages (multiple criteria)
vet query --from /tmp/dump \
    --filter 'vulns.high.size() > 0 && scorecard.scores.Security < 5 && projects.exists(p, p.stars < 100)'