Identify which dependencies are actually used in your code using static code analysis
vet
can identify dependency usage in your code using static code analysis. This is particularly useful when dealing with vulnerabilities, allowing you to prioritize only those dependencies you’ve actually used in your code.
Focus security efforts on dependencies actually used in production code
Identify and remove unused dependencies to reduce attack surface
Get precise security posture by analyzing real dependency usage
Skip vulnerabilities in unused dependencies to speed up security fixes
Build a code analysis database with dependency usage evidence for source code:
This command:
src
directoryPerform a vet scan enriched with dependency usage evidence:
The scan will now include:
Analyze specific programming languages:
The code analysis provides several types of evidence:
These direct imports are tracked as usage evidence.
These direct imports are tracked as usage evidence.
Actual usage of imported modules is recorded.
References to specific classes and methods are tracked.
In the scan results, you’ll see tags like:
used-in-code
: Dependency is actually used in source codeimported
: Module is imported but usage uncleardeclared-only
: Listed in manifest but no code usage foundRegular Updates
Rebuild code analysis databases when:
Environment Separation
Create separate analyses for different environments:
Policy Design
Design policies that leverage usage information:
No Usage Evidence Found
If no usage evidence is detected:
Database Size Issues
For large codebases:
Performance Considerations
Code analysis adds processing time:
Learn more about vet’s code analysis capabilities
Create policies that leverage usage information
Access complete documentation and examples
Learn about the parsing technology behind code analysis