Skip to main content
Malware analysis is available for free with SafeDep Cloud. See pricing for details.
Analyze open source packages for malicious code using Vet with SafeDep Cloud’s hosted analysis service. The service scans package artifacts from public package registries.

Supported Ecosystems

npm

JavaScript and TypeScript packages

PyPI

Python packages and wheels

Go Modules

Go language modules

RubyGems

Ruby packages and gems

GitHub Actions

GitHub Action workflows

VS Code Extensions

Visual Studio Code extensions

Requirements

1

Install Vet

You must have Vet version 1.9.7 or above installed.
2

SafeDep Cloud Access

You must be onboarded to SafeDep Cloud with a Tenant Domain and API Key. See SafeDep Cloud Quickstart for onboarding instructions.

Repository Scanning

Basic Malware Scanning

Enable malware analysis with the --malware flag: 
vet scan -D /path/to/code --malware
vet waits for a timeout period for malware analysis to complete. This works well for pull requests and CI/CD pipelines where the number of changed packages is small.

Timeout Configuration

Adjust analysis timeout for different scenarios: 
# Quick scan with shorter timeout
vet scan -D . --malware --malware-analysis-timeout 5m

# Thorough scan with longer timeout
vet scan -D . --malware --malware-analysis-timeout 15m

Specific Manifest Scanning

Scan individual package manifest files: 
# npm projects
vet scan -M package-lock.json --malware

# Python projects
vet scan -M requirements.txt --malware

# Go projects
vet scan -M go.mod --malware

# Ruby projects
vet scan -M Gemfile.lock --malware

PURL-Based Scanning

Scan specific packages using Package URLs: 
vet scan --purl pkg:npm/[email protected] --malware
Malware analysis results for llm-oracle package

Visual Studio Code Extensions

Scan locally installed VS Code extensions: 
vet scan --vsx --malware
VS Code extension scanning is supported only for local developer machines, not in CI/CD environments.

GitHub Actions Integration

vet-action Cloud Mode

Enable malicious package protection in GitHub repositories using vet-action: 
name: Malware Protection
on:
  pull_request:
    branches: [ main ]

jobs:
  malware-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run malware analysis
        uses: safedep/vet-action@v1
        with:
          cloud: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT_DOMAIN }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Pull Request Integration

When enabled, Vet scans changed packages for malware and provides results directly in pull requests: vet malware analysis in GitHub PR Expand comments to view detailed package analysis results: Detailed malware analysis results in PR

Package Inspection

Enable Experimental Feature

Package inspection is currently experimental. Enable it with: 
export VET_ENABLE_PACKAGE_INSPECT_COMMAND=true

Inspect Single Packages

Perform detailed analysis of individual packages: 
vet inspect malware --purl pkg:npm/[email protected]
Package analysis is performed asynchronously. Scanning usually takes a few minutes but may take longer depending on the analysis queue.

Analysis Results

On completion, Vet shows the analysis status and classification: Malware scan result showing package classification

Export Results

Export analysis results as JSON: 
vet inspect malware \
  --purl pkg:npm/[email protected] \
  --report-json /tmp/analysis.json

Understanding Results

Classification Levels

  • SAFE: No malicious behavior detected
  • SUSPICIOUS: Potentially risky patterns identified
  • MALICIOUS: Confirmed malicious behavior found

Analysis Techniques

  • Code pattern analysis
  • Suspicious function detection
  • Obfuscation identification
  • Network communication patterns
  • File system access patterns
  • Process execution analysis
  • Package metadata anomalies
  • Publisher reputation analysis
  • Distribution pattern analysis

CI/CD Integration Examples

GitLab CI

stages:
  - security

malware-scan:
  stage: security
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . --malware --report-json malware-report.json
  artifacts:
    reports:
      security: malware-report.json
  variables:
    SAFEDEP_API_KEY: $SAFEDEP_API_KEY
    SAFEDEP_TENANT_ID: $SAFEDEP_TENANT_ID

Jenkins Pipeline

pipeline {
    agent any
    
    environment {
        SAFEDEP_API_KEY = credentials('safedep-api-key')
        SAFEDEP_TENANT_ID = credentials('safedep-tenant-id')
    }
    
    stages {
        stage('Malware Scan') {
            steps {
                sh 'vet scan -D . --malware --report-json malware-results.json'
                archiveArtifacts artifacts: 'malware-results.json'
                publishTestResults testResultsPattern: 'malware-results.json'
            }
        }
    }
}

Troubleshooting

  • Increase the timeout with --malware-analysis-timeout
  • Scan smaller package sets
  • Check network connectivity to SafeDep Cloud
  • Verify your API key has malware analysis permissions
  • Check your tenant configuration
  • Ensure you are using Vet v1.9.7 or later
  • Review the analysis details
  • Contact SafeDep support with the package details
  • Use exceptions management for temporary overrides

vet-action Documentation

Complete GitHub Actions integration guide

SafeDep Cloud Setup

Get started with SafeDep Cloud for malware analysis

Package Inspection Guide

Learn more about experimental package inspection features

Report Issues

Report bugs or request features for malware analysis