GitHub Code Scanning

GitHub supports uploading SARIF reports to enable repository and organization-wide visibility of security events across different tools. vet supports exporting policy violation reports as SARIF which can be uploaded to GitHub.

​

Quick Setup with GitHub Action

vet has a dedicated GitHub Action for easy integration. This is the recommended approach for most teams.

​

Basic Configuration

Create .github/workflows/vet.yml in your repository:

name: OSS Security Scan
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  vet-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run vet
        id: vet
        uses: safedep/vet-action@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SARIF
        if: steps.vet.outputs.report != ''
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.vet.outputs.report }}
          category: vet

​

Advanced Configuration

For more control over the scanning process:

- name: Run vet with custom policy
  id: vet
  uses: safedep/vet-action@v1
  with:
    policy: '.github/vet/policy.yml'
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

​

Manual SARIF Generation

You can also generate SARIF reports manually using the vet CLI:

vet scan -D /path/to/project --report-sarif /path/to/report.sarif

​

Viewing Results

Once the SARIF report is uploaded to GitHub, policy violations will be available in the GitHub Security tab. This provides a centralized view of policy violations across different repositories.

​

Pull Request Integration

The GitHub Action automatically adds comments to pull requests when security issues are found:

​

Best Practices

​

Troubleshooting