Scanning package manifests is resource-intensive as it involves enriching package metadata by querying the Insights API. However, filtering and reporting may be done multiple times on the same manifest. To speed up this process, you can dump enriched data as JSON and load it for subsequent filtering and reporting operations.
Query Workflow
The BYOQ workflow consists of two main phases:
Data Collection
Scan and enrich package data, then dump to JSON files for reuse
Analysis & Reporting
Load enriched data for fast filtering, querying, and report generation
Phase 1: Dump Enriched JSON Manifests
Collect and enrich package data, then save to a directory for reuse:
# Single manifest file
vet scan --lockfile /path/to/package-lock.json --json-dump-dir /tmp/dump
# Entire repository
vet scan -D /path/to/repository --json-dump-dir /tmp/dump-many
The JSON dump contains all enriched metadata including vulnerabilities, scorecard data, licenses, and project information.
Use the dumped data for fast filtering and reporting:
# Generate summary report
vet query --from /tmp/dump --report-summary
# Apply custom filters
vet query --from /tmp/dump --filter 'scorecard.scores.Maintained == 0'
Security Guardrails with Filters
Implement security guardrails in CI/CD pipelines using the --filter-fail
argument, which causes the command to fail if any package matches the given filter.
Example: Fail Build on Unmaintained Packages
vet query --from /path/to/json-dump \
--filter 'scorecard.scores.Maintained == 0' \
--filter-fail
When packages match the filter criteria, the command exits with a non-zero status:
Advanced Query Examples
Multi-Criteria Security Checks
# Fail on critical vulnerabilities OR unmaintained packages
vet query --from /tmp/dump \
--filter 'vulns.critical.size() > 0 || scorecard.scores.Maintained == 0' \
--filter-fail
License Compliance Checks
# Find packages with non-approved licenses
vet query --from /tmp/dump \
--filter '!licenses.exists(p, p in ["MIT", "Apache-2.0", "BSD-3-Clause"])' \
--report-json compliance-violations.json
Risk Assessment Queries
# Find high-risk packages (multiple criteria)
vet query --from /tmp/dump \
--filter 'vulns.high.size() > 0 && scorecard.scores.Security < 5 && projects.exists(p, p.stars < 100)'
Responses are generated using AI and may contain mistakes.