Skip to main contentSafeDep GitHub App integrates with your GitHub repositories to help you
manage your open source software supply chain. The advantage of using the app over SafeDep
GitHub Action are:
- Zero configuration installation and immediate visibility of security findings in your repositories
- Protects against malicious open source packages
- Easy to use and get started without friction
- Provides optional SafeDep Cloud integration for centralized policy management and reporting
How to Install
- Navigate to SafeDep GitHub App
- Click Install
- Follow the instructions to install the app in your GitHub organization or repository
How to Use
SafeDep GitHub App automatically scans pull requests for open source dependency changes. Newly introduced
or updated dependencies are scanned for vulnerabilities and malware.
Reports
On every Pull Request, SafeDep GitHub App scans the updated packages and creates a detailed list with analysis on:
Active Protection
Upon any failure to these reports the GitHub App Check will fail, protecting the branch from any harmful package.
The GitHub Check will fail if there is any Verified Malicious Package, any Vulnerability or any Risky License.
Appendix
Vulnerabilities
- The current version of SafeDep GitHub App check for any
CRITICAL AND HIGH risk vulnerability.
- OSV is used as the vulnerability database
Risky Licenses
-
The current version of SafeDep GitHub App classify following licenses as Risky:
GPL-2.0GPL-2.0-onlyGPL-2.0-or-laterGPL-3.0GPL-3.0-onlyGPL-3.0-or-laterLGPL-2.1LGPL-2.1-onlyLGPL-2.1-or-laterLGPL-3.0LGPL-3.0-onlyLGPL-3.0-or-laterAGPL-3.0AGPL-3.0-onlyAGPL-3.0-or-laterEPL-2.0
Supported Lockfiles
- The current version of SafeDep GitHub App supports these lockfiles and ecosystems:
- NPM
package-lock.jsonpnpm-lock.yamlyarn.lock
- GoLang
- PyPI
requirements.txtuv.lockpoetry.lockPipfile.lock
- RubyGems
- Cargo (Rust)
- Packagist (PHP)
- Maven (Java)
