Skip to main content

🐛 Malicious Package Scanning

info

Malicious Package Scanning is a SafeDep Cloud service. It is currently available as early preview with limited support.

This document describes how to use vet for analyzing open source packages for malicious code. This is a SafeDep Cloud hosted service and supports scanning package artifacts available in public package registries (e.g. npm) only.

Supported Ecosystems

  1. npm
  2. PyPI
  3. Go Modules
  4. RubyGems

Requirements

  • You must have vet 1.9.1 or above installed
  • You must be onboarded to SafeDep Cloud and have access to
  1. Tenant Domain
  2. API Key

Refer to SafeDep Cloud Quickstart for more information on how to onboard and get an API key.

Malicious Package Scanning with vet

Configure vet with SafeDep Cloud

vet auth configure --tenant your-tenant-domain

Note: You will be prompted to enter an API key.

Verify API connectivity and authentication with vet

vet auth verify

Scanning a Repository

The newly introduced --malware flag in vet allows you to scan a repository for malware. It can be used with all other vet scanning options to active active scanning for malicious OSS packages.

To scan a repository for malware, use the following command

vet scan -D /path/to/code --malware

Note: We make a trade-off between coverage and speed. vet is configured to wait for a timeout period for the malware analysis to complete. This should not be a problem during pull requests or CI/CD pipelines because the number of changed packages are usually low. The timeout can be adjusted using --malware-analysis-timeout flag.

Other scanning options:

vet scan -M package-lock.json --malware
vet scan --purl pkg:/npm/[email protected] --malware

Scanning other ecosystems

vet scan -M requirements.txt --malware
vet scan -M go.mod --malware
vet scan -M Gemfile.lock --malware

GitHub Actions

vet-action has been extended to support cloud-mode for malicious package scanning. When enabled, it will actively scan packages changed during a pull request for malicious behaviour in code. Follow README.md to activate malicious package protection in your GitHub repository.

Once enabled, vet will scan the changed packages for malware and provide the results in the Pull Request.

The comment can be expanded to view individual package analysis results.

Inspecting a Package

Package inspection allows using vet to perform a single package analysis, including dumping the results as JSON. The package inspection command in vet is currently experimental. Enable it by setting the environment variable

export VET_ENABLE_PACKAGE_INSPECT_COMMAND=true

Inspect an npm package for malware

vet inspect malware --purl pkg:/npm/[email protected]

Note: The package analysis will be performed asynchronously. The scanning usually takes a few minutes but may take longer depending on pending analysis tasks in the queue.

On scan completion, vet will show the status of the analysis and classify it as MALICIOUS or SAFE

Scan Result

The analysis results can be exported as JSON using --report-json parameter

vet inspect malware \
  --purl pkg:/npm/[email protected] \
  --report-json /tmp/analysis.json