This document describes how to synchronize data from vet to SafeDep Cloud for centralized analysis, reporting, and policy management. Data synchronization enables organization-wide visibility into security findings across all projects.

Sync Methods

vet CLI

Direct integration using command-line interface

vet-action

GitHub Actions workflow integration

Using vet CLI

Prerequisites

Configure vet to authenticate with SafeDep Cloud. See quickstart guide for onboarding and authentication setup.

The --report-sync flag enables data synchronization to SafeDep Cloud.

Basic Synchronization

Sync scan results with project identification:

vet scan -M /path/to/package-lock.json --report-sync \
  --report-sync-project my-project \
  --report-sync-project-version my-project-version

Parameters

  • --report-sync-project: Project identifier (typically repository name)
  • --report-sync-project-version: Project version (branch, tag, or commit)

Directory Scanning with Sync

Scan entire repositories and sync results:

vet scan -D /path/to/repository \
  --report-sync \
  --report-sync-project github.com/org/repo \
  --report-sync-project-version main

Multiple Manifest Sync

Sync results from scanning multiple manifest files:

vet scan -D /path/to/monorepo \
  --report-sync \
  --report-sync-project monorepo-backend \
  --report-sync-project-version v2.1.0

Advanced Sync Configurations

Environment-Based Sync

Differentiate between environments using project versions:

vet scan -D . \
  --report-sync \
  --report-sync-project myapp \
  --report-sync-project-version production

Conditional Sync with Policies

Sync only when policy violations are found:

vet scan -D . \
  --filter-suite security-policy.yml \
  --filter-fail \
  --report-sync \
  --report-sync-project critical-app \
  --report-sync-project-version main

Batch Processing

Sync multiple projects in a script:

#!/bin/bash
for project in project-a project-b project-c; do
  vet scan -D "/path/to/$project" \
    --report-sync \
    --report-sync-project "$project" \
    --report-sync-project-version "$(git -C /path/to/$project rev-parse --abbrev-ref HEAD)"
done

GitHub Actions Integration

Basic vet-action Configuration

Enable cloud sync in your GitHub workflow:

name: Security Scan and Sync
on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run vet with cloud sync
        uses: safedep/vet-action@v1
        with:
          cloud: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT_DOMAIN }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Advanced GitHub Actions Configuration

name: Comprehensive Security Analysis
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * 1'  # Weekly scan

jobs:
  security-analysis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run security scan with sync
        uses: safedep/vet-action@v1
        with:
          cloud: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT_DOMAIN }}
          policy: '.github/security-policy.yml'
          fail-on-violation: true
          malware: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          
      - name: Upload scan artifacts
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-scan-results
          path: |
            *.json
            *.sarif

Project Identification

vet-action automatically uses repository information for project identification:

  • Project Name: ${{ github.repository }} (e.g., org/repo)
  • Project Version: ${{ github.ref_name }} (branch or tag name)

CI/CD Platform Integration

GitLab CI

stages:
  - security

security-scan:
  stage: security
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . 
        --report-sync
        --report-sync-project $CI_PROJECT_PATH
        --report-sync-project-version $CI_COMMIT_REF_NAME
  variables:
    SAFEDEP_API_KEY: $SAFEDEP_API_KEY
    SAFEDEP_TENANT_ID: $SAFEDEP_TENANT_ID
  only:
    - main
    - develop
    - merge_requests

Jenkins Pipeline

pipeline {
    agent any
    
    environment {
        SAFEDEP_API_KEY = credentials('safedep-api-key')
        SAFEDEP_TENANT_ID = credentials('safedep-tenant-id')
    }
    
    stages {
        stage('Security Scan') {
            steps {
                sh """
                    vet scan -D . \
                      --report-sync \
                      --report-sync-project ${env.JOB_NAME} \
                      --report-sync-project-version ${env.BRANCH_NAME}
                """
            }
        }
    }
}

Azure DevOps

trigger:
  branches:
    include:
      - main
      - develop

variables:
  - group: safedep-credentials

jobs:
- job: SecurityScan
  displayName: 'Security Scan and Sync'
  pool:
    vmImage: 'ubuntu-latest'
  
  steps:
  - script: |
      vet scan -D . \
        --report-sync \
        --report-sync-project $(Build.Repository.Name) \
        --report-sync-project-version $(Build.SourceBranchName)
    displayName: 'Run vet security scan'
    env:
      SAFEDEP_API_KEY: $(safedep-api-key)
      SAFEDEP_TENANT_ID: $(safedep-tenant-id)

Data Synchronization Details

What Gets Synced

Sync Frequency

  • On-demand: Manual scans using CLI
  • CI/CD triggered: Automated scans on code changes
  • Scheduled: Regular scans via cron or scheduled workflows
  • Event-driven: Scans triggered by specific events

Querying Synced Data

Once data is synced to SafeDep Cloud, query it using the cloud interface:

# List all synced projects
vet cloud query execute --sql "SELECT DISTINCT name, version FROM projects"

# Find critical vulnerabilities across projects
vet cloud query execute --sql "
  SELECT projects.name, packages.name, vulnerabilities.cve_id 
  FROM projects 
  WHERE vulnerabilities.severity = 'CRITICAL'
"

# Export project security summary
vet cloud query execute \
  --sql "SELECT * FROM projects WHERE name = 'my-project'" \
  --csv my-project-summary.csv

Best Practices

Troubleshooting