SafeDep Documentation

vet can identify which dependencies your code actually uses via static code analysis. When triaging vulnerabilities, this lets you focus on packages that are imported and deprioritize those that are only declared.

EXPERIMENTAL: This feature is experimental and may introduce breaking changes.

This page covers the dependency-usage workflow. For the underlying Code Analysis feature, including supported languages and options, see that page.

Demo

Quick Start

Step 1: Create Code Analysis Database

Build a code analysis database for your source code:

vet code scan --app src --db /tmp/dump/vet-test.db

This analyzes code in the src directory, extracts import statements and usage patterns, and stores the results in a SQLite database.

Step 2: Scan with Usage Enrichment

Run a Vet scan enriched with the dependency usage database:

vet scan --code /tmp/dump/vet-test.db

Results now include:

Usage Evidence: which dependencies are actually imported and used
Used-in-Code Tags: markers on packages confirmed as used in code
Prioritized Results: packages with real usage are highlighted

Advanced Usage Patterns

Language-Specific Analysis

To target a specific language:

# Python projects
vet code scan --app src --db python-analysis.db --lang python

# JavaScript/TypeScript projects  
vet code scan --app src --db js-analysis.db --lang javascript

# Multi-language projects
vet code scan --app src --db full-analysis.db  # Auto-detect all languages

Understanding the Results

Usage Evidence Types

The code analysis records several types of evidence:

Import Statements
Function Calls
Module References

# Python example
import requests
from flask import Flask

These direct imports are tracked as usage evidence.

// JavaScript example
const axios = require('axios');
axios.get('https://api.example.com');

Actual usage of imported modules is recorded.

// Java example
import org.apache.commons.lang3.StringUtils;
String result = StringUtils.capitalize(input);

References to specific classes and methods are tracked.

Tags and Annotations

Dependencies found in your source code are marked with the used-in-code tag, so you can prioritize them over packages that are only declared in a manifest.

Scope Separation

Environment Separation

Create separate databases for different scopes:

# Production code only
vet code scan --app src/main --db prod-analysis.db

# Include test code
vet code scan --app src --db full-analysis.db

Code Analysis Guide

Learn more about Vet’s code analysis capabilities

Policy as Code

Create policies that leverage usage information

Vet Repository

Access complete documentation and examples

Tree-sitter Parsers

Learn about the parsing technology behind code analysis

​Demo

​Quick Start

​Step 1: Create Code Analysis Database

​Step 2: Scan with Usage Enrichment

​Advanced Usage Patterns

​Language-Specific Analysis

​Understanding the Results

​Usage Evidence Types

​Tags and Annotations

​Scope Separation

Code Analysis Guide

Policy as Code

Vet Repository

Tree-sitter Parsers

Demo

Quick Start

Step 1: Create Code Analysis Database

Step 2: Scan with Usage Enrichment

Advanced Usage Patterns

Language-Specific Analysis

Understanding the Results

Usage Evidence Types

Tags and Annotations

Scope Separation