Skip to main content
EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
vet uses the code analysis framework built on tree-sitter parsers. The framework supports multiple languages and source repositories (local and remote), and writes findings to a SQLite database that vet scan uses to enrich manifest analysis.

Build a Code Analysis Database

Build a SQLite database from your source code. The database is a prerequisite for code analysis features in vet scan. 
vet code scan --app /path/to/app \
    --db /tmp/code.db \
    --lang python
This command analyzes application code recursively in the specified directory and creates a SQLite database with the findings. Omit --lang to scan all supported languages.

Supported Languages

The code analysis framework supports these languages through tree-sitter parsers:
  • Python
  • JavaScript/TypeScript
  • Java
  • Go
  • And more…

Scan with Dependency Usage Analysis

Pass the database to vet scan via the --code flag. Dependency usage analysis is enabled by default when a code database is provided. 
vet scan -D /path/to/code --code /tmp/code.db
With a code database, vet scan adds:
  1. Manifest Analysis: scans package manifests in the specified directory
  2. Usage Enrichment: enriches packages with dependency usage data from the database
  3. Evidence-Based Results: shows a scan summary with usage evidence and used-in-code tags for packages confirmed as used in code
vet scan with code analysis database

Practical Example

Full workflow for a Python project:
1

Analyze Code

Build the code analysis database for your Python project:
vet code scan --app ./src \
    --db ./analysis/code.db \
    --lang python
2

Enhanced Scan

Run vet scan with the code database:
vet scan -D . \
    --code ./analysis/code.db \
    --report-json results.json
3

Review Results

Check the scan results for:
  • Dependencies actually used in code vs. declared
  • Unused dependencies that could be removed
  • Usage patterns and import analysis

Advanced Usage

Multi-language Projects

For projects with multiple languages, omit the --lang flag: 
vet code scan --app ./src --db ./analysis/polyglot.db

Custom Database Locations

Organize databases by project or environment: 
# Development environment
vet code scan --app ./src --db ./analysis/dev-code.db

# Production analysis
vet code scan --app ./dist --db ./analysis/prod-code.db

Integration with CI/CD

# GitHub Actions example
- name: Build Code Analysis DB
  run: vet code scan --app ./src --db ./code-analysis.db

- name: Enhanced Security Scan
  run: vet scan -D . --code ./code-analysis.db --report-sarif security.sarif

Limitations

This feature is experimental and may have breaking changes. Test before using in production.
Code analysis adds processing time to scans. Weigh the accuracy benefit against the speed cost for your use case.
Code analysis databases can grow large for extensive codebases. Monitor disk usage and remove old databases periodically.

Code Framework

Learn more about the underlying code analysis framework

Tree-sitter

Understand the parsing technology behind code analysis

Dependency Usage Guide

See how to identify dependency usage in your code

Vet GitHub Repository

Access the main Vet documentation and examples