Skip to main content
SafeDep ships several command-line tools. Each one solves a different supply-chain problem, and they run independently, so you install only what you need. This page helps you pick the right tool and points you to its setup guide.

Which tool do I need?

Scan code for supply-chain risk

Use Vet to scan repositories, lockfiles, and SBOMs for malicious packages, known vulnerabilities, and policy violations. It is the engine behind SafeDep’s CI/CD scanning.

Block malicious installs on my machine

Use PMG, a guard around npm, pip, and other package managers that blocks known-malicious packages before they install. No account or API key required.

Audit what my AI coding agent does

Use Gryph to record every file read, write, and command your AI coding agent runs. It keeps a local audit log you can query.

Generate a Bill of Materials

Use xBom to inventory dependencies plus AI and SaaS usage detected from your source code, as a CycloneDX BOM.

Work with SafeDep Cloud

Use safedep, the unified CLI for SafeDep Cloud: authentication, endpoint telemetry queries, and AI agent hardening. It is new and still evolving.

The tools at a glance

ToolSolvesNeeds an account?Open source
VetDetect malicious and vulnerable dependencies in code and CI/CDNo (Cloud optional)Yes
PMGBlock malicious packages at install time on the dev machineNoYes
GryphLocal audit trail for AI coding agentsNo (fully local)Yes
xBomGenerate a BOM enriched with AI and SaaS usage from source codeNoYes
safedepManage and query SafeDep Cloud from the terminalYes (SafeDep Cloud)Yes
Vet, PMG, and Gryph are free, open source, and work with no SafeDep account. The safedep CLI is the client for SafeDep Cloud’s hosted features. See pricing.

How they relate

  • Vet is the scanning engine. It analyzes dependencies and produces risk reports, queries, and SBOMs. It runs standalone or syncs results to SafeDep Cloud.
  • PMG and Gryph are standalone, single-purpose guards. PMG works at package-install time, Gryph around AI coding agents. Neither needs Vet or a SafeDep account.
  • safedep is an emerging unified CLI that brings SafeDep Cloud’s workflows (auth, endpoint telemetry, agent hardening) to the terminal. It orchestrates the tools above and the Cloud APIs rather than re-implementing scanning, so the analysis stays in the upstream tools.
These tools have no “v1 to v2” relationship. safedep is a new Cloud-focused CLI, not a replacement for vet. Vet stays the standalone scanner and the recommended starting point for most users.

Install

Each tool is on the SafeDep Homebrew tap. Vet, PMG, Gryph, and safedep are also published to npm; Vet, PMG, Gryph, and xBom ship as pre-built binaries. The most common installs: 
brew install safedep/tap/vet
brew install safedep/tap/pmg
brew install safedep/tap/gryph
brew install safedep/tap/xbom
brew install --cask safedep/tap/cli   # the `safedep` command
For every install method, current versions, and the full command surface, see each tool’s repository: Vet, PMG, Gryph, safedep.

Next steps

Vet Quickstart

Scan your first repository for supply-chain risk.

PMG Quickstart

Guard your package installs in minutes.

Gryph Overview

Set up an audit trail for your AI coding agents.

xBom Quickstart

Generate an enriched Bill of Materials from your code.

SafeDep Cloud Quickstart

Onboard to the hosted platform for org-wide visibility.