Skip to main content
The SafeDep GitHub App scans pull requests for supply-chain risk directly in GitHub. It is a hosted service run by SafeDep, so unlike the GitHub Action there is nothing to configure or run yourself: it activates immediately after installation.
  • Zero-configuration installation with immediate visibility of security findings
  • Protects against malicious open source packages, known vulnerabilities, and risky licenses
  • Free for public open source repositories. Private (commercial) repositories need a SafeDep subscription
  • Optionally link the installation to your SafeDep Cloud tenant for centralized policy and reporting across repositories

How to Install

  1. Navigate to SafeDep GitHub App
  2. Click Install
  3. Follow the instructions to install the app in your GitHub organization or repository

How to Use

The SafeDep GitHub App automatically scans pull requests for open source dependency changes. Newly introduced or updated dependencies are checked for vulnerabilities and malware.

Reports

GitHub App Report Demo On every pull request, the app scans updated packages and reports on:

Active Protection

GitHub App Gating Demo When any report fails, the GitHub App Check fails and blocks the branch from merging. The check fails if any Verified Malicious Package, Vulnerability, or Risky License is found.

Appendix

Vulnerabilities

  • Checks for CRITICAL or HIGH severity vulnerabilities.
  • Uses OSV as the vulnerability database.

Risky Licenses

  • The app currently classifies the following licenses as Risky:
    • GPL-2.0
    • GPL-2.0-only
    • GPL-2.0-or-later
    • GPL-3.0
    • GPL-3.0-only
    • GPL-3.0-or-later
    • AGPL-3.0
    • AGPL-3.0-only
    • AGPL-3.0-or-later

Supported Lockfiles

Supported lockfiles and ecosystems:
  1. NPM
  • package-lock.json
  • pnpm-lock.yaml
  • yarn.lock
  1. GoLang
  • go.mod
  1. PyPI
  • requirements.txt
  • uv.lock
  • poetry.lock
  • Pipfile.lock
  1. RubyGems
  • Gemfile.lock
  1. Cargo (Rust)
  • Cargo.lock
  1. Packagist (PHP)
  • composer.lock
  1. Maven (Java)
  • pom.xml
  • gradle.lockfile

GitHub Code Scanning

Surface Vet findings in GitHub code scanning via SARIF.

Platform Integrations

Wire Vet into other CI/CD platforms.

Vet Quickstart

Scan a repository from the CLI.

Policy as Code

Define the policy the app enforces.