Skip to main content
SafeDep GitHub App integrates with your GitHub repositories to help you manage your open source software supply chain. The advantage of using the app over SafeDep GitHub Action are:
  • Zero configuration installation and immediate visibility of security findings in your repositories
  • Protects against malicious open source packages
  • Easy to use and get started without friction
  • Provides optional SafeDep Cloud integration for centralized policy management and reporting

​
How to Install

  1. Navigate to SafeDep GitHub App
  2. Click Install
  3. Follow the instructions to install the app in your GitHub organization or repository

​
How to Use

SafeDep GitHub App automatically scans pull requests for open source dependency changes. Newly introduced or updated dependencies are scanned for vulnerabilities and malware.

​
Reports

GitHub App Report Demo On every Pull Request, SafeDep GitHub App scans the updated packages and creates a detailed list with analysis on:

​
Active Protection

GitHub App Gating Demo Upon any failure to these reports the GitHub App Check will fail, protecting the branch from any harmful package. The GitHub Check will fail if there is any Verified Malicious Package, any Vulnerability or any Risky License.

​
Appendix

​
Vulnerabilities

  • The current version of SafeDep GitHub App check for any CRITICAL AND HIGH risk vulnerability.
  • OSV is used as the vulnerability database

​
Risky Licenses

  • The current version of SafeDep GitHub App classify following licenses as Risky:
    • GPL-2.0
    • GPL-2.0-only
    • GPL-2.0-or-later
    • GPL-3.0
    • GPL-3.0-only
    • GPL-3.0-or-later
    • LGPL-2.1
    • LGPL-2.1-only
    • LGPL-2.1-or-later
    • LGPL-3.0
    • LGPL-3.0-only
    • LGPL-3.0-or-later
    • AGPL-3.0
    • AGPL-3.0-only
    • AGPL-3.0-or-later
    • EPL-2.0

​
Supported Lockfiles

  • The current version of SafeDep GitHub App supports these lockfiles and ecosystems:
    1. NPM
    • package-lock.json
    • pnpm-lock.yaml
    • yarn.lock
    1. GoLang
    • go.mod
    1. PyPI
    • requirements.txt
    • uv.lock
    • poetry.lock
    • Pipfile.lock
    1. RubyGems
    • Gemfile.lock
    1. Cargo (Rust)
    • Cargo.lock
    1. Packagist (PHP)
    • composer.lock
    1. Maven (Java)
    • pom.xml
    • grade.lockfile