Common questions and troubleshooting tips for using vet effectively.

General Usage

How do I disable the banner?

Set the environment variable to disable the vet banner:

export VET_DISABLE_BANNER=1

Something is wrong! How do I debug this?

Run vet with debug logging enabled to diagnose issues:

vet scan -D /path/to/repo --silent --log-level debug

Installation and Setup

Which version of vet should I use?

Always use the latest stable version available:

# Check current version
vet version

# Update via Homebrew (macOS/Linux)
brew upgrade safedep/tap/vet

# Or download latest from GitHub releases
# https://github.com/safedep/vet/releases

Does vet work offline?

vet requires internet connectivity to:

  • Download vulnerability data from OSV database
  • Fetch OpenSSF Scorecard information
  • Access package registry metadata
  • Communicate with SafeDep Cloud (if using cloud features)

For offline environments, consider using the JSON dump workflow to cache data locally.

What package managers does vet support?

vet supports a wide range of package managers:

Scanning and Analysis

Why is my scan taking so long?

Several factors can affect scan performance:

No vulnerabilities found - is this correct?

If vet reports no vulnerabilities:

  1. Check the package versions - Ensure you’re scanning current dependency versions
  2. Verify manifest files - Confirm vet is finding and parsing your package manifests
  3. Check exclusions - Make sure you haven’t excluded relevant directories
  4. Review scan output - Look for any warnings or errors during scanning

How do I scan only specific files?

Use the -M flag to specify individual manifest files:

# Single file
vet scan -M package-lock.json

# Multiple files
vet scan -M package-lock.json -M requirements.txt

Policy and Filtering

How do I create effective policies?

Follow these best practices for policy creation:

Why is my filter not working?

Common filter issues and solutions:

Performance and Optimization

How can I speed up my scans?

CI/CD Integration

My GitHub Action is failing - what should I check?

How do I handle false positives in CI?

Data and Privacy

What data does vet collect?

vet collects:

  • Package metadata from public registries
  • Vulnerability data from public databases (OSV, NVD)
  • OpenSSF Scorecard metrics from public repositories
  • No source code is ever analyzed or transmitted

Does vet send my code anywhere?

No. vet only analyzes package manifest files (like package-lock.json) and does not access or transmit your source code. All analysis is based on publicly available package metadata.

Can I use vet in air-gapped environments?

vet requires internet access for vulnerability data and package metadata. For air-gapped environments:

  1. Pre-cache data using the JSON dump workflow
  2. Use proxy servers to control external access
  3. Consider enterprise solutions for offline vulnerability databases

Troubleshooting

Common error messages and solutions

Getting More Help

Community Discord

Join our community for real-time help and discussions

GitHub Issues

Report bugs or search existing issues

Documentation

Comprehensive guides and API reference

Email Support

Direct support for complex issues

Can’t find your question here? Check our community page for more ways to get help!

Common questions and troubleshooting tips for using vet effectively.

General Usage

How do I disable the banner?

Set the environment variable to disable the vet banner:

export VET_DISABLE_BANNER=1

Something is wrong! How do I debug this?

Run vet with debug logging enabled to diagnose issues:

vet scan -D /path/to/repo --silent --log-level debug

Installation and Setup

Which version of vet should I use?

Always use the latest stable version available:

# Check current version
vet version

# Update via Homebrew (macOS/Linux)
brew upgrade safedep/tap/vet

# Or download latest from GitHub releases
# https://github.com/safedep/vet/releases

Does vet work offline?

vet requires internet connectivity to:

  • Download vulnerability data from OSV database
  • Fetch OpenSSF Scorecard information
  • Access package registry metadata
  • Communicate with SafeDep Cloud (if using cloud features)

For offline environments, consider using the JSON dump workflow to cache data locally.

What package managers does vet support?

vet supports a wide range of package managers:

Scanning and Analysis

Why is my scan taking so long?

Several factors can affect scan performance:

No vulnerabilities found - is this correct?

If vet reports no vulnerabilities:

  1. Check the package versions - Ensure you’re scanning current dependency versions
  2. Verify manifest files - Confirm vet is finding and parsing your package manifests
  3. Check exclusions - Make sure you haven’t excluded relevant directories
  4. Review scan output - Look for any warnings or errors during scanning

How do I scan only specific files?

Use the -M flag to specify individual manifest files:

# Single file
vet scan -M package-lock.json

# Multiple files
vet scan -M package-lock.json -M requirements.txt

Policy and Filtering

How do I create effective policies?

Follow these best practices for policy creation:

Why is my filter not working?

Common filter issues and solutions:

Performance and Optimization

How can I speed up my scans?

CI/CD Integration

My GitHub Action is failing - what should I check?

How do I handle false positives in CI?

Data and Privacy

What data does vet collect?

vet collects:

  • Package metadata from public registries
  • Vulnerability data from public databases (OSV, NVD)
  • OpenSSF Scorecard metrics from public repositories
  • No source code is ever analyzed or transmitted

Does vet send my code anywhere?

No. vet only analyzes package manifest files (like package-lock.json) and does not access or transmit your source code. All analysis is based on publicly available package metadata.

Can I use vet in air-gapped environments?

vet requires internet access for vulnerability data and package metadata. For air-gapped environments:

  1. Pre-cache data using the JSON dump workflow
  2. Use proxy servers to control external access
  3. Consider enterprise solutions for offline vulnerability databases

Troubleshooting

Common error messages and solutions

Getting More Help

Community Discord

Join our community for real-time help and discussions

GitHub Issues

Report bugs or search existing issues

Documentation

Comprehensive guides and API reference

Email Support

Direct support for complex issues

Can’t find your question here? Check our community page for more ways to get help!