Frequently asked questions about using vet and troubleshooting common issues
Common questions and troubleshooting tips for using vet effectively.
Set the environment variable to disable the vet banner:
Run vet with debug logging enabled to diagnose issues:
Always use the latest stable version available:
vet requires internet connectivity to:
For offline environments, consider using the JSON dump workflow to cache data locally.
vet supports a wide range of package managers:
JavaScript/Node.js
Python
Java/JVM
Go
Other Languages
Several factors can affect scan performance:
Large dependency trees
Use path exclusions to skip irrelevant directories:
Network latency
The scan fetches metadata from external sources. Slow internet can impact performance.
Malware analysis
If using --malware
, adjust the timeout:
First-time caching
Initial scans may be slower as vet builds local caches.
If vet reports no vulnerabilities:
Use the -M
flag to specify individual manifest files:
Follow these best practices for policy creation:
Start Simple
Begin with basic vulnerability checks:
Test Thoroughly
Test policies against known good and bad packages before deploying.
Use Gradual Rollout
Start with warning-only mode before enforcing blocking policies.
Document Decisions
Include comments in policy files explaining the rationale for each rule.
Common filter issues and solutions:
Syntax Errors
Verify CEL expression syntax:
Data Structure
Check the filter input specification to understand available fields.
Boolean Logic
Ensure your expression evaluates to true/false:
Use Path Exclusions
Skip irrelevant directories:
Scan Specific Manifests
Target only relevant package files:
Use JSON Dump Workflow
Cache enriched data for repeated analysis:
Parallel Processing
For multiple projects, run scans in parallel or use CI/CD matrix builds.
Action Version
Ensure you’re using the latest version of vet-action:
Permissions
Check GitHub token permissions:
Secrets Configuration
Verify required secrets are set if using SafeDep Cloud:
SAFEDEP_CLOUD_API_KEY
SAFEDEP_CLOUD_TENANT_DOMAIN
Use Exceptions
Create an exceptions file for known false positives:
Adjust Policies
Refine your filter expressions to reduce noise:
Use Warning Mode
Don’t fail builds while tuning policies:
vet collects:
No. vet only analyzes package manifest files (like package-lock.json) and does not access or transmit your source code. All analysis is based on publicly available package metadata.
vet requires internet access for vulnerability data and package metadata. For air-gapped environments:
'No manifest files found'
-M
flag to specify files explicitly'Failed to download vulnerability data'
'Memory limit exceeded'
'Invalid filter expression'
Join our community for real-time help and discussions
Report bugs or search existing issues
Comprehensive guides and API reference
Direct support for complex issues
Can’t find your question here? Check our community page for more ways to get help!
Frequently asked questions about using vet and troubleshooting common issues
Common questions and troubleshooting tips for using vet effectively.
Set the environment variable to disable the vet banner:
Run vet with debug logging enabled to diagnose issues:
Always use the latest stable version available:
vet requires internet connectivity to:
For offline environments, consider using the JSON dump workflow to cache data locally.
vet supports a wide range of package managers:
JavaScript/Node.js
Python
Java/JVM
Go
Other Languages
Several factors can affect scan performance:
Large dependency trees
Use path exclusions to skip irrelevant directories:
Network latency
The scan fetches metadata from external sources. Slow internet can impact performance.
Malware analysis
If using --malware
, adjust the timeout:
First-time caching
Initial scans may be slower as vet builds local caches.
If vet reports no vulnerabilities:
Use the -M
flag to specify individual manifest files:
Follow these best practices for policy creation:
Start Simple
Begin with basic vulnerability checks:
Test Thoroughly
Test policies against known good and bad packages before deploying.
Use Gradual Rollout
Start with warning-only mode before enforcing blocking policies.
Document Decisions
Include comments in policy files explaining the rationale for each rule.
Common filter issues and solutions:
Syntax Errors
Verify CEL expression syntax:
Data Structure
Check the filter input specification to understand available fields.
Boolean Logic
Ensure your expression evaluates to true/false:
Use Path Exclusions
Skip irrelevant directories:
Scan Specific Manifests
Target only relevant package files:
Use JSON Dump Workflow
Cache enriched data for repeated analysis:
Parallel Processing
For multiple projects, run scans in parallel or use CI/CD matrix builds.
Action Version
Ensure you’re using the latest version of vet-action:
Permissions
Check GitHub token permissions:
Secrets Configuration
Verify required secrets are set if using SafeDep Cloud:
SAFEDEP_CLOUD_API_KEY
SAFEDEP_CLOUD_TENANT_DOMAIN
Use Exceptions
Create an exceptions file for known false positives:
Adjust Policies
Refine your filter expressions to reduce noise:
Use Warning Mode
Don’t fail builds while tuning policies:
vet collects:
No. vet only analyzes package manifest files (like package-lock.json) and does not access or transmit your source code. All analysis is based on publicly available package metadata.
vet requires internet access for vulnerability data and package metadata. For air-gapped environments:
'No manifest files found'
-M
flag to specify files explicitly'Failed to download vulnerability data'
'Memory limit exceeded'
'Invalid filter expression'
Join our community for real-time help and discussions
Report bugs or search existing issues
Comprehensive guides and API reference
Direct support for complex issues
Can’t find your question here? Check our community page for more ways to get help!