Quick Start
SafeDep Cloud provides a control and data aggregation service on top of security tools like vet.
SafeDep cloud allows vet
users to connect and report its findings to a central location (SafeDep Cloud). Subsequently, users of the service can perform various tasks such as
- Query by risks
- Observe policy violations generated by
vet
- Manage, test and deploy policies across all instances of
vet
The process involves following steps
- Onboard to SafeDep Cloud
- Generate an API key for use with
vet
- Configure
vet
to sync its finding to SafeDep Cloud - Query consolidate data from all
vet
deployments
The vet
tool is extended with cloud management functionality. All cloud management related commands are available within vet cloud
sub-command. However, not all users of vet
need to use the cloud functionality. It is meant only for administrative and management operations.
Onboard to SafeDep Cloud
Follow the steps below to onboard into SafeDep Cloud. This is required only for administrators who want to configure vet
to synchronize data and policies with SafeDep Cloud. This is not required for independent use of vet
.
1. Install vet
Start by installing vet if you don't already have it installed. Ensure you are using a version that supports the cloud
subcommand.
2. Login to SafeDep Cloud
vet cloud login
Verify that you are authenticated to SafeDep cloud.
3. Onboard your Organization
Create an organization that will group (isolate) all your projects, policies and data
vet cloud register --name "John Doe" \
--org-name "Organization Name" \
--org-domain example.com
On successful on-boarding, you will receive the SafeDep cloud tenant domain
. It will be like default-team.example-com.safedep.io
. vet
will automatically configure this domain on your local system. You need to note this domain for usage in CI/CD. You will also receive an email with the required details.
4. Verify Onboarding
vet cloud whoami
This should list your registered user and your organization on SafeDep cloud.
5. Create API Key for vet
Integration
Generate an API key for use with vet
for syncing report data to SafeDep cloud.
vet cloud key create --name "Key Name" --description "Key description"
Configure vet
with SafeDep Cloud
Once the API key is generated
vet auth configure --tenant <tenant-domain>
Send Data to SafeDep Cloud
vet scan -M /path/to/package-lock.json --report-sync \
--report-sync-project my-project \
--report-sync-project-version my-project-version
package-lock.json
is used as an example manifest.vet
supports a wide variety of package manifest and code analysis.
Configure GitHub Action
If you are using vet-action with GitHub, you can configure it to send issues and policy violations to SafeDep Cloud.
- Create a GitHub Action Secret to store the API key generated earlier and your tenant domain
- Update your
vet-action
workflow to enable cloud mode
[...]
cloud: true
cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT_DOMAIN }}
[...]
Query Aggregated Data
SafeDep cloud maintains a component oriented data model for all your projects, OSS components, vulnerabilities, security insights and policy violations. You can query this data to find exactly what you need.
SQL Query Interface
The vet cloud
subcommand provides a generic SQL-like query interface that can be used to find what you need.
You need to be authenticated with SafeDep cloud to execute queries.
vet cloud login --tenant <your-tenant-domain>
List projects synchronized with SafeDep Cloud
vet cloud query execute --sql "select projects.name, projects.version from projects"
Find critical vulnerabilities affecting a component in main
branch
vet cloud query execute --sql \
"
select projects.name, packages.name, packages.version, vulnerabilities.cve_id from projects
where projects.version = 'main' and vulnerabilities.risk = 'CRITICAL'
"
Find components with policy violations in main
branch
To learn more about policies, refer to policy as code
vet cloud query execute --sql \
"
select projects.name, packages.name, packages.version, policy_violations.rule_name from projects
where projects.version = 'main'
"
View schema to build your own queries
vet cloud query schema
Export Data
All vet cloud query
commands support CSV export by default. To export results as CSV
vet cloud query execute \
--csv results.csv \
--sql "select projects.name, projects.version from projects"