Skip to main content
This page covers syncing vet scan results from CI/CD pipelines to SafeDep Cloud using --report-sync. To sync AI tool inventory from developer machines or agents, see Inventory Sync.

Sync Methods

Vet CLI

Direct integration using command-line interface

vet-action

GitHub Actions workflow integration

Using Vet CLI

Prerequisites

Configure vet to authenticate with SafeDep Cloud before using --report-sync. See the quickstart guide for onboarding and authentication setup.
The --report-sync flag enables data synchronization to SafeDep Cloud.

Basic Synchronization

Sync scan results with project identification: 
vet scan -M /path/to/package-lock.json --report-sync \
  --report-sync-project my-project \
  --report-sync-project-version my-project-version

Parameters

  • --report-sync-project: Project identifier (typically repository name)
  • --report-sync-project-version: Project version (branch, tag, or commit)

Directory Scanning with Sync

Scan entire repositories and sync results: 
vet scan -D /path/to/repository \
  --report-sync \
  --report-sync-project github.com/org/repo \
  --report-sync-project-version main

Multiple Manifest Sync

Sync results from scanning multiple manifest files: 
vet scan -D /path/to/monorepo \
  --report-sync \
  --report-sync-project monorepo-backend \
  --report-sync-project-version v2.1.0

Advanced Sync Configurations

Environment-Based Sync

Differentiate between environments using project versions: 
vet scan -D . \
  --report-sync \
  --report-sync-project myapp \
  --report-sync-project-version production

Conditional Sync with Policies

Sync only when policy violations are found: 
vet scan -D . \
  --filter-suite security-policy.yml \
  --filter-fail \
  --report-sync \
  --report-sync-project critical-app \
  --report-sync-project-version main

Batch Processing

Sync multiple projects in a script: 
#!/bin/bash
for project in project-a project-b project-c; do
  vet scan -D "/path/to/$project" \
    --report-sync \
    --report-sync-project "$project" \
    --report-sync-project-version "$(git -C /path/to/$project rev-parse --abbrev-ref HEAD)"
done

GitHub Actions Integration

Basic vet-action Configuration

Enable cloud sync in your GitHub workflow: 
name: Security Scan and Sync
on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run vet with cloud sync
        uses: safedep/vet-action@v1
        with:
          cloud: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT_DOMAIN }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Advanced GitHub Actions Configuration

name: Comprehensive Security Analysis
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * 1'  # Weekly scan

jobs:
  security-analysis:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Run security scan with sync
        uses: safedep/vet-action@v1
        with:
          cloud: true
          cloud-key: ${{ secrets.SAFEDEP_CLOUD_API_KEY }}
          cloud-tenant: ${{ secrets.SAFEDEP_CLOUD_TENANT_DOMAIN }}
          policy: '.github/vet/policy.yml'
          paranoid: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          
      - name: Upload scan artifacts
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-scan-results
          path: |
            *.json
            *.sarif

Project Identification

vet-action automatically sets project identification from repository information:
  • Project Name: ${{ github.repository }} (e.g., org/repo)
  • Project Version: ${{ github.ref_name }} (branch or tag name)

CI/CD Platform Integration

GitLab CI

stages:
  - security

security-scan:
  stage: security
  image: ghcr.io/safedep/vet:latest
  script:
    - vet scan -D . --report-sync --report-sync-project $CI_PROJECT_PATH --report-sync-project-version $CI_COMMIT_REF_NAME
  variables:
    SAFEDEP_API_KEY: $SAFEDEP_API_KEY
    SAFEDEP_TENANT_ID: $SAFEDEP_TENANT_ID
  only:
    - main
    - develop
    - merge_requests

Jenkins Pipeline

pipeline {
    agent any
    
    environment {
        SAFEDEP_API_KEY = credentials('safedep-api-key')
        SAFEDEP_TENANT_ID = credentials('safedep-tenant-id')
    }
    
    stages {
        stage('Security Scan') {
            steps {
                sh """
                    vet scan -D . \
                      --report-sync \
                      --report-sync-project ${env.JOB_NAME} \
                      --report-sync-project-version ${env.BRANCH_NAME}
                """
            }
        }
    }
}

Azure DevOps

trigger:
  branches:
    include:
      - main
      - develop

variables:
  - group: safedep-credentials

jobs:
- job: SecurityScan
  displayName: 'Security Scan and Sync'
  pool:
    vmImage: 'ubuntu-latest'
  
  steps:
  - script: |
      vet scan -D . \
        --report-sync \
        --report-sync-project $(Build.Repository.Name) \
        --report-sync-project-version $(Build.SourceBranchName)
    displayName: 'Run vet security scan'
    env:
      SAFEDEP_API_KEY: $(safedep-api-key)
      SAFEDEP_TENANT_ID: $(safedep-tenant-id)

Data Synchronization Details

What Gets Synced

  • All discovered packages and versions
  • Dependency relationships and metadata
  • Package manifest locations and types
  • Vulnerability information and severity levels
  • OpenSSF Scorecard metrics
  • License compliance data
  • Malware analysis results (if enabled)
  • Policy rule violations and details
  • Filter expression results
  • Exception applications and status
  • Project identification and versioning
  • Scan timestamps and environment info
  • Git commit information (when available)

Sync Frequency

  • On-demand: Manual scans using the CLI
  • CI/CD triggered: Automated scans on code changes
  • Scheduled: Regular scans via cron or scheduled workflows
  • Event-driven: Scans triggered by specific events

Querying Synced Data

Once data is synced to SafeDep Cloud, query it with the safedep CLI: 
safedep query exec --sql "
  SELECT projects.name
  FROM projects
  WHERE projects.origin_source = 'SOURCE_GITHUB'
  ORDER BY projects.name"
See the SafeDep Cloud SQL guide for the full schema, the join model, and worked examples covering vulnerabilities, licenses, malware findings, and endpoint events.

Best Practices

Use consistent naming:
  • Include the organization: org/project-name
  • Use repository URLs for uniqueness across teams
Use meaningful version identifiers:
  • Branch names for development branches
  • Semantic versions for releases
  • Environment identifiers (prod, staging, dev)
  • Sync on every commit to the main branch
  • Include pull request scans for early detection
  • Add scheduled scans to catch drift between commits

Troubleshooting

  • Verify the API key and tenant configuration
  • Check network connectivity to SafeDep Cloud
  • Ensure project names don’t contain invalid characters
  • Confirm --report-sync and the project flags are set
  • Check that the scan completed successfully
  • Verify the project name and version identifiers match what you expect
  • Verify the API key has sync permissions
  • Check the tenant domain configuration
  • Confirm credentials are set correctly in your CI/CD environment

Cloud Quickstart

Get started with SafeDep Cloud authentication and setup

vet-action Documentation

Complete GitHub Actions integration guide

Cloud Queries

Learn how to query synced data in SafeDep Cloud

Authentication Guide

Understand SafeDep Cloud authentication methods