EXPERIMENTAL: This feature is experimental and may introduce breaking changes.

vet uses the code analysis framework built on top of tree-sitter parsers. The goal of this framework is to support multiple languages, source repositories (local and remote), and report the findings.

vet uses these findings to create a Code analysis database, which can be used for enriching and analyzing manifests during scanning.

Build a Code Analysis Database

Analyze code and build a SQLite database for further analysis. This is a prerequisite to enable code analysis features in vet scan.

vet code scan --app /path/to/app \
    --db /tmp/code.db \
    --lang python

What This Command Does

Code Analysis

Utilizes the code framework to analyze application code recursively in the specified directory

Language Support

Supports multiple languages - omit --lang to analyze all supported languages

Database Creation

Creates a SQLite database with reported findings for later use

Tree-sitter Powered

Uses tree-sitter parsers for accurate code parsing and analysis

Supported Languages

The code analysis framework supports multiple programming languages through tree-sitter parsers:

  • Python
  • JavaScript/TypeScript
  • Java
  • Go
  • And more…

Omit the --lang parameter to enable analysis of all supported languages automatically.

Scan with Dependency Usage Analysis

To enable code analysis features in vet scan, provide the Code analysis database path using the --code flag.

Dependency usage analysis is a fundamental feature that’s enabled by default when using a code database.

vet scan -D /path/to/code --code /tmp/code.db

Enhanced Scanning Features

When using code analysis, vet scan provides:

  1. Manifest Analysis: Analyzes package manifests in the specified directory
  2. Usage Enrichment: Uses the Code Analysis database to enrich packages with dependency usage data
  3. Evidence-Based Results: Shows scan summary with usage evidences and used-in-code tags proving actual library usage

Practical Example

Here’s a complete workflow for analyzing a Python project:

1

Analyze Code

Build the code analysis database for your Python project:

vet code scan --app ./src \
    --db ./analysis/code.db \
    --lang python
2

Enhanced Scan

Run vet scan with code analysis integration:

vet scan -D . \
    --code ./analysis/code.db \
    --report-json results.json
3

Review Results

Check the scan results for:

  • Dependencies actually used in code vs. declared
  • Unused dependencies that could be removed
  • Usage patterns and import analysis

Benefits of Code Analysis

Accurate Risk Assessment

By identifying which dependencies are actually used in your code, you can:

  • Prioritize security fixes for actively used packages
  • Ignore vulnerabilities in unused dependencies
  • Make informed decisions about dependency removal

Dependency Optimization

Code analysis helps identify:

  • Unused Dependencies: Packages declared but never imported
  • Over-declared Dependencies: Libraries with minimal usage
  • Missing Dependencies: Code imports without corresponding declarations

Supply Chain Insights

Enhanced visibility into:

  • How dependencies are used throughout your codebase
  • Which functions/modules are imported from each package
  • Dependency usage patterns and trends

Advanced Usage

Multi-language Projects

For projects with multiple languages, run analysis without the --lang flag:

vet code scan --app ./src --db ./analysis/polyglot.db

Custom Database Locations

Organize analysis databases by project or environment:

# Development environment
vet code scan --app ./src --db ./analysis/dev-code.db

# Production analysis
vet code scan --app ./dist --db ./analysis/prod-code.db

Integration with CI/CD

# GitHub Actions example
- name: Build Code Analysis DB
  run: vet code scan --app ./src --db ./code-analysis.db

- name: Enhanced Security Scan
  run: vet scan -D . --code ./code-analysis.db --report-sarif security.sarif

Limitations and Considerations