๐๏ธ ๐งช GitHub Code Scanning
GitHub supports uploading SARIF
๐๏ธ ๐ก๏ธ GitLab Dependency Scanning
vet supports native GitLab Dependency Scanning. You can use vet to protect your project from malicious and vulnerable dependencies on every push and merge request to GitLab.
๐๏ธ ๐ Code Analysis
EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
๐๏ธ โ Dependency Usage Identification through Code Analysis
vet can identify dependency usage in your code using static code analysis.
๐๏ธ ๐ฆ Dependency Inventory
Package managers such as Maven, Gradle etc. has the most accurate view of library dependencies. They can be used to resolve the dependencies, generate an SBOM and scan using vet for better accuracy. In this guide, we will use CycloneDX gradle plugin to generate a software bill of material (SBOM) and scan it using vet.
๐๏ธ ๐ CycloneDX SBOM generation
vet supports CycloneDx v1.6 SBOM generation. The generated SBOM provides a comprehensive inventory of all packages and their dependencies in the project. It includes security metadata like detected vulnerabilities, malware and license information of dependencies
๐๏ธ โ๏ธ Programmatic Access to Insights API
To follow this guide you need a SafeDep Cloud API Key and Tenant Identifier.
๐๏ธ ๐ Audit Terraform Provider Inventory for Supply Chain Risks
To follow this guide you need a SafeDep Cloud API Key and Tenant Identifier.
๐๏ธ ๐ DefectDojo Integration
vet supports integration with DefectDojo to track and manage vulnerabilities. You can export vulnerabilities, policy violations and other findings to DefectDojo. Each scans are reported as a new engagement in DefectDojo.