Skip to main content
This feature allows you to analyze open source packages for malicious code using vet integrated with SafeDep Cloud’s hosted analysis service. The service supports scanning package artifacts from public package registries.

​
Supported Ecosystems

npm

JavaScript and TypeScript packages

PyPI

Python packages and wheels

Go Modules

Go language modules

RubyGems

Ruby packages and gems

GitHub Actions

GitHub Action workflows

VS Code Extensions

Visual Studio Code extensions

​
Requirements

1

Install vet

You must have vet version 1.9.7 or above installed
2

SafeDep Cloud Access

You must be onboarded to SafeDep Cloud with:
  • Tenant Domain
  • API Key
See SafeDep Cloud Quickstart for onboarding instructions

​
Repository Scanning

​
Basic Malware Scanning

Enable malware analysis with the --malware flag: 
vet scan -D /path/to/code --malware
We make a trade-off between coverage and speed. vet waits for a timeout period for malware analysis to complete. This works well for pull requests and CI/CD pipelines where the number of changed packages is usually low.

​
Timeout Configuration

Adjust analysis timeout for different scenarios: 
# Quick scan with shorter timeout
vet scan -D . --malware --malware-analysis-timeout 5m

# Thorough scan with longer timeout
vet scan -D . --malware --malware-analysis-timeout 15m

​
Specific Manifest Scanning

Scan individual package manifest files: 
# npm projects
vet scan -M package-lock.json --malware

# Python projects
vet scan -M requirements.txt --malware

# Go projects
vet scan -M go.mod --malware

# Ruby projects
vet scan -M Gemfile.lock --malware

​
PURL-Based Scanning

Scan specific packages using Package URLs: 
vet scan --purl pkg:/npm/llm-oracle@1.0.2 --malware
Malware analysis results for llm-oracle package

​
Visual Studio Code Extensions

Scan locally installed VS Code extensions: 
vet scan --vsx --malware
VS Code extension scanning is supported only for local developer machines, not in CI/CD environments.

​
GitHub Actions Integration

​
vet-action Cloud Mode

Enable malicious package protection in GitHub repositories using vet-action: 
name: Malware Protection
on:
  pull_request:
    branches: [ main ]

jobs:
  malware-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run malware analysis
        uses: safedep/vet-action@v1
        with:
          cloud: true
          malware: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

​
Pull Request Integration

When enabled, vet scans changed packages for malware and provides results directly in pull requests: vet malware analysis in GitHub PR Expand comments to view detailed package analysis results: Detailed malware analysis results in PR

​
Package Inspection

​
Enable Experimental Feature

Package inspection is currently experimental. Enable it with: 
export VET_ENABLE_PACKAGE_INSPECT_COMMAND=true

​
Inspect Single Packages

Perform detailed analysis of individual packages: 
vet inspect malware --purl pkg:/npm/llm-oracle@1.0.2
Package analysis is performed asynchronously. Scanning usually takes a few minutes but may take longer depending on the analysis queue.

​
Analysis Results

On completion, vet shows the analysis status and classification: Malware scan result showing package classification

​
Export Results

Export analysis results as JSON: 
vet inspect malware \
  --purl pkg:/npm/llm-oracle@1.0.2 \
  --report-json /tmp/analysis.json

​
Understanding Results

​
Classification Levels

  • SAFE: No malicious behavior detected
  • SUSPICIOUS: Potentially risky patterns identified
  • MALICIOUS: Confirmed malicious behavior found

​
Analysis Techniques

  • Code pattern analysis
  • Suspicious function detection
  • Obfuscation identification
  • Network communication patterns
  • File system access patterns
  • Process execution analysis
  • Package metadata anomalies
  • Publisher reputation analysis
  • Distribution pattern analysis

​
CI/CD Integration Examples

​
GitLab CI

stages:
  - security

malware-scan:
  stage: security
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . --malware --report-json malware-report.json
  artifacts:
    reports:
      security: malware-report.json
  variables:
    SAFEDEP_API_KEY: $SAFEDEP_API_KEY
    SAFEDEP_TENANT_ID: $SAFEDEP_TENANT_ID

​
Jenkins Pipeline

pipeline {
    agent any
    
    environment {
        SAFEDEP_API_KEY = credentials('safedep-api-key')
        SAFEDEP_TENANT_ID = credentials('safedep-tenant-id')
    }
    
    stages {
        stage('Malware Scan') {
            steps {
                sh 'vet scan -D . --malware --report-json malware-results.json'
                archiveArtifacts artifacts: 'malware-results.json'
                publishTestResults testResultsPattern: 'malware-results.json'
            }
        }
    }
}

​
Best Practices

  • Use shorter timeouts for CI/CD environments
  • Scan only changed packages in pull requests
  • Cache analysis results when possible
  • Fail builds on malicious package detection
  • Set up alerts for suspicious packages
  • Regularly scan entire dependency trees
  • Train teams on interpreting results
  • Establish response procedures for malicious findings
  • Document approved exceptions for false positives

​
Troubleshooting

If analysis times out frequently:
  • Increase timeout with --malware-analysis-timeout
  • Scan smaller package sets
  • Check network connectivity to SafeDep Cloud
If malware analysis fails with auth errors:
  • Verify API key has malware analysis permissions
  • Check tenant configuration
  • Ensure you’re using vet v1.9.7 or later
If legitimate packages are flagged:
  • Review the analysis details
  • Contact SafeDep support with package details
  • Use exceptions management for temporary overrides

vet-action Documentation

Complete GitHub Actions integration guide

SafeDep Cloud Setup

Get started with SafeDep Cloud for malware analysis

Package Inspection Guide

Learn more about experimental package inspection features

Report Issues

Report bugs or request features for malware analysis
⌘I