Code Analysis

vet uses the code analysis framework built on top of tree-sitter parsers. The goal of this framework is to support multiple languages, source repositories (local and remote), and report the findings.

vet uses these findings to create a Code analysis database, which can be used for enriching and analyzing manifests during scanning.

​

Build a Code Analysis Database

Analyze code and build a SQLite database for further analysis. This is a prerequisite to enable code analysis features in vet scan.

vet code scan --app /path/to/app \
    --db /tmp/code.db \
    --lang python

​

What This Command Does

​

Supported Languages

The code analysis framework supports multiple programming languages through tree-sitter parsers:

• Python
• JavaScript/TypeScript
• Java
• Go
• And more…

​

Scan with Dependency Usage Analysis

To enable code analysis features in vet scan, provide the Code analysis database path using the --code flag.

Dependency usage analysis is a fundamental feature that’s enabled by default when using a code database.

vet scan -D /path/to/code --code /tmp/code.db

​

Enhanced Scanning Features

When using code analysis, vet scan provides:

1. Manifest Analysis: Analyzes package manifests in the specified directory
2. Usage Enrichment: Uses the Code Analysis database to enrich packages with dependency usage data
3. Evidence-Based Results: Shows scan summary with usage evidences and used-in-code tags proving actual library usage

​

Practical Example

Here’s a complete workflow for analyzing a Python project:

vet code scan --app ./src \
    --db ./analysis/code.db \
    --lang python

vet scan -D . \
    --code ./analysis/code.db \
    --report-json results.json

​

Benefits of Code Analysis

​

Accurate Risk Assessment

By identifying which dependencies are actually used in your code, you can:

• Prioritize security fixes for actively used packages
• Ignore vulnerabilities in unused dependencies
• Make informed decisions about dependency removal

​

Dependency Optimization

Code analysis helps identify:

• Unused Dependencies: Packages declared but never imported
• Over-declared Dependencies: Libraries with minimal usage
• Missing Dependencies: Code imports without corresponding declarations

​

Supply Chain Insights

Enhanced visibility into:

• How dependencies are used throughout your codebase
• Which functions/modules are imported from each package
• Dependency usage patterns and trends

​

Advanced Usage

​

Multi-language Projects

For projects with multiple languages, run analysis without the --lang flag:

vet code scan --app ./src --db ./analysis/polyglot.db

​

Custom Database Locations

Organize analysis databases by project or environment:

# Development environment
vet code scan --app ./src --db ./analysis/dev-code.db

# Production analysis
vet code scan --app ./dist --db ./analysis/prod-code.db

​

Integration with CI/CD

# GitHub Actions example
- name: Build Code Analysis DB
  run: vet code scan --app ./src --db ./code-analysis.db

- name: Enhanced Security Scan
  run: vet scan -D . --code ./code-analysis.db --report-sarif security.sarif

​

Limitations and Considerations