Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.safedep.io/llms.txt

Use this file to discover all available pages before exploring further.

GitHub supports uploading SARIF reports to enable repository and organization-wide visibility of security events across different tools. vet supports exporting policy violation reports as SARIF which can be uploaded to GitHub.

Quick Setup with GitHub Action

vet has a dedicated GitHub Action for easy integration. This is the recommended approach for most teams.

Basic Configuration

Create .github/workflows/vet.yml in your repository: 
name: OSS Security Scan
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

permissions:
  contents: read
  security-events: write
  pull-requests: write

jobs:
  vet-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run vet
        id: vet
        uses: safedep/vet-action@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SARIF
        if: steps.vet.outputs.report != ''
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.vet.outputs.report }}
          category: vet
SARIF reports work when you enable GitHub Code Scanning in your repository. Learn more

Advanced Configuration

For more control over the scanning process: 
- name: Run vet with custom policy
  id: vet
  uses: safedep/vet-action@v1
  with:
    policy: '.github/vet/policy.yml'
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Manual SARIF Generation

You can also generate SARIF reports manually using the vet CLI: 
vet scan -D /path/to/project --report-sarif /path/to/report.sarif
vet will only include policy violations in the SARIF report. A policy must be provided using --filter or --filter-suite flag during scan.

Viewing Results

Once the SARIF report is uploaded to GitHub, policy violations will be available in the GitHub Security tab. This provides a centralized view of policy violations across different repositories. GitHub Code Scanning Alerts

Pull Request Integration

The GitHub Action automatically adds comments to pull requests when security issues are found: vet GitHub Action PR comment

Best Practices

Store your vet policies in version control (e.g., .github/vet/policy.yml) to ensure consistent security standards across your organization.
Configure branch protection rules to require the vet check to pass before merging pull requests.
Use GitHub organization templates to deploy vet across all repositories automatically.
For production workflows, pin third-party GitHub Actions to a full commit SHA rather than a mutable tag. This protects against tag-moving attacks where a compromised upstream action could inject malicious code.
# Instead of:
uses: actions/checkout@v4

# Pin to a specific commit SHA:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
The actions/checkout and github/codeql-action release pages list the commit SHA for each release. safedep/vet-action uses semantic versioning tags that we control directly.

Troubleshooting

Ensure the security-events: write permission is set in your workflow file and that Code Scanning is enabled for your repository.
Check that your policy configuration is correct and that violations actually exist. Use --report-json locally to debug.

vet-action Repository

View the complete documentation and examples

Full Example Workflow

See a complete GitHub Actions workflow example