Malicious Package Scanning is a SafeDep Cloud service currently available as early preview with limited support.

This feature allows you to analyze open source packages for malicious code using vet integrated with SafeDep Cloud’s hosted analysis service. The service supports scanning package artifacts from public package registries.

Supported Ecosystems

npm

JavaScript and TypeScript packages

PyPI

Python packages and wheels

Go Modules

Go language modules

RubyGems

Ruby packages and gems

GitHub Actions

GitHub Action workflows

VS Code Extensions

Visual Studio Code extensions

Requirements

1

Install vet

You must have vet version 1.9.7 or above installed

2

SafeDep Cloud Access

You must be onboarded to SafeDep Cloud with:

  • Tenant Domain
  • API Key

See SafeDep Cloud Quickstart for onboarding instructions

Repository Scanning

Basic Malware Scanning

Enable malware analysis with the --malware flag:

vet scan -D /path/to/code --malware

We make a trade-off between coverage and speed. vet waits for a timeout period for malware analysis to complete. This works well for pull requests and CI/CD pipelines where the number of changed packages is usually low.

Timeout Configuration

Adjust analysis timeout for different scenarios:

# Quick scan with shorter timeout
vet scan -D . --malware --malware-analysis-timeout 5m

# Thorough scan with longer timeout
vet scan -D . --malware --malware-analysis-timeout 15m

Specific Manifest Scanning

Scan individual package manifest files:

# npm projects
vet scan -M package-lock.json --malware

# Python projects
vet scan -M requirements.txt --malware

# Go projects
vet scan -M go.mod --malware

# Ruby projects
vet scan -M Gemfile.lock --malware

PURL-Based Scanning

Scan specific packages using Package URLs:

vet scan --purl pkg:/npm/llm-oracle@1.0.2 --malware

Visual Studio Code Extensions

Scan locally installed VS Code extensions:

vet scan --vsx --malware

VS Code extension scanning is supported only for local developer machines, not in CI/CD environments.

GitHub Actions Integration

vet-action Cloud Mode

Enable malicious package protection in GitHub repositories using vet-action:

name: Malware Protection
on:
  pull_request:
    branches: [ main ]

jobs:
  malware-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run malware analysis
        uses: safedep/vet-action@v1
        with:
          cloud: true
          malware: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Pull Request Integration

When enabled, vet scans changed packages for malware and provides results directly in pull requests:

Expand comments to view detailed package analysis results:

Package Inspection

Enable Experimental Feature

Package inspection is currently experimental. Enable it with:

export VET_ENABLE_PACKAGE_INSPECT_COMMAND=true

Inspect Single Packages

Perform detailed analysis of individual packages:

vet inspect malware --purl pkg:/npm/llm-oracle@1.0.2

Package analysis is performed asynchronously. Scanning usually takes a few minutes but may take longer depending on the analysis queue.

Analysis Results

On completion, vet shows the analysis status and classification:

Export Results

Export analysis results as JSON:

vet inspect malware \
  --purl pkg:/npm/llm-oracle@1.0.2 \
  --report-json /tmp/analysis.json

Understanding Results

Classification Levels

  • SAFE: No malicious behavior detected
  • SUSPICIOUS: Potentially risky patterns identified
  • MALICIOUS: Confirmed malicious behavior found

Analysis Techniques

CI/CD Integration Examples

GitLab CI

stages:
  - security

malware-scan:
  stage: security
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . --malware --report-json malware-report.json
  artifacts:
    reports:
      security: malware-report.json
  variables:
    SAFEDEP_API_KEY: $SAFEDEP_API_KEY
    SAFEDEP_TENANT_ID: $SAFEDEP_TENANT_ID

Jenkins Pipeline

pipeline {
    agent any
    
    environment {
        SAFEDEP_API_KEY = credentials('safedep-api-key')
        SAFEDEP_TENANT_ID = credentials('safedep-tenant-id')
    }
    
    stages {
        stage('Malware Scan') {
            steps {
                sh 'vet scan -D . --malware --report-json malware-results.json'
                archiveArtifacts artifacts: 'malware-results.json'
                publishTestResults testResultsPattern: 'malware-results.json'
            }
        }
    }
}

Best Practices

Troubleshooting

vet-action Documentation

Complete GitHub Actions integration guide

SafeDep Cloud Setup

Get started with SafeDep Cloud for malware analysis

Package Inspection Guide

Learn more about experimental package inspection features

Report Issues

Report bugs or request features for malware analysis