Skip to main content
Your SafeDep Cloud tenant receives data from more than one tool. Each source syncs through its own path and shows up in a different part of the product: Every source needs SafeDep Cloud credentials: a tenant domain and an API key. New to Cloud? Start with the quickstart. This page covers vet scan sync in full. PMG and endpoint inventory sync have their own setup guides, summarized below.

Sync vet scan results

vet scan --report-sync uploads scan results to your tenant, grouped by project and version.

Prerequisites

vet needs SafeDep Cloud credentials before it can sync. The fastest path is the guided setup, which walks through account, tenant, and credentials in one command:
Already onboarded? See the authentication guide to configure vet with an existing tenant and API key.

Sync a scan

  • --report-sync-project: project identifier. Use a consistent convention, like the repository path (github.com/org/repo), so names stay unique across teams.
  • --report-sync-project-version: project version, typically a branch, tag, or commit
Scan a whole repository the same way:
The examples use package-lock.json, but vet supports many package manifest formats and code analysis.

Separate environments

The version field also separates environments. Sync the same project as production, staging, or a feature branch name, then compare them side by side in SafeDep Cloud:

Enforce policy while syncing

Sync and policy enforcement run in the same scan. Add a policy suite and --filter-fail to gate the pipeline while results still sync to your tenant:
--policy-suite takes a v2 policy file (see the example in the vet repository); --filter-fail exits non-zero on a violation. The older --filter-suite format is documented in the policy reference.

Sync from GitHub Actions

vet-action syncs automatically when its cloud inputs are set. Add SAFEDEP_CLOUD_API_KEY and SAFEDEP_CLOUD_TENANT_DOMAIN as GitHub Actions secrets, then enable cloud sync in your workflow:
vet-action sets project identification from the repository: the project name is ${{ github.repository }} and the version is ${{ github.ref_name }}.

Sync from other CI systems

The pattern is the same on any CI system: provide SAFEDEP_API_KEY and SAFEDEP_TENANT_ID as environment variables and run vet scan with the --report-sync flags. See CI/CD & Platform Integrations for the full GitLab and Bitbucket guides.

What gets synced

  • Discovered packages and versions
  • Dependency relationships and metadata
  • Package manifest locations and types
  • Vulnerability information and severity levels
  • OpenSSF Scorecard metrics
  • License compliance data
  • Malware analysis results (if enabled)
  • Policy rule violations and details
  • Exception applications and status
  • Project identification and versioning
  • Scan timestamps and environment info
  • Git commit information (when available)

Sync package events from PMG

PMG intercepts package manager commands on the endpoint and records each install as an event. With cloud sync enabled, PMG drains its local event log to your tenant automatically after each invocation, and pmg cloud sync pushes events immediately. Setup, login, and auto-sync tuning live on the Package Guard page:

Package Guard

Enable PMG cloud sync and view package events in Endpoint Hub

Sync AI tool inventory

vet endpoint scan discovers AI tooling on a machine (coding agents, MCP servers, CLI tools, IDE extensions, Agent Skills) and delivers the inventory to your tenant when vet has credentials configured.

Endpoint Inventory

Enable inventory sync and browse discovered AI tooling in Endpoint Hub

Query synced data

Once data lands in your tenant, query it with safedep query exec or the web console. The quickstart has a worked example, and the SQL query guide covers the full schema, join model, and queries across vulnerabilities, licenses, malware findings, and endpoint events.

Troubleshooting

  • Verify the API key and tenant configuration (vet auth verify)
  • Check network connectivity to SafeDep Cloud
  • Ensure project names don’t contain invalid characters
  • Confirm --report-sync and the project flags are set
  • Check that the scan completed successfully
  • Verify the project name and version identifiers match what you expect
  • Verify the API key has sync permissions
  • Check the tenant domain configuration
  • Confirm credentials are set correctly in your CI/CD environment

Cloud Quickstart

Set up the safedep CLI and run your first query

Authentication Guide

SafeDep Cloud authentication methods

Endpoint Hub

AI tooling and package activity across your endpoints

vet-action Documentation

Complete GitHub Actions integration guide