🧩 Configuring Vet
vet comes with super powers 🚀, this section will help you to understand and explore some of them so that you can take your open source security to next level 😎
API Key
vet uses control plane API for the insights required to enrich the information of dependencies, and its information.
Generating an API key
- You can run the following command with your email address to receive an API key. After running the following command, you will receive an email with the API key.
vet auth trial --email john.doe@example.com
Configuring an API key
- You can configure the api key using the following command
vet auth configure
- You can also pass the API key through environment variable using the variable
VET_API_KEY
Renewing an API key
- To renew an API key, you can re-register using the email. Even reach out to us at contact@safedep.io and we would be happy to work with you
Using Community Mode
- You can use community endpoint for Insights API without API key
vet auth configure --community
- For CI job, set environment variable
VET_COMMUNITY_MODE=trueto enable community runtime mode
Scanning
Scanning Directories
- If you wanted to scan the whole directory & automatically parse the dependencies/lockfile, you can use the
-Dor--directoryflag.
vet scan -D your-code/directory/path/
info
If you do not specify any directory, by default it takes present working directory as the input.
Scanning Files
- If you wanted to scan the specific file
lockfileyou can use the-Lor--lockfilesflag.
vet scan -D your-code/directory/path/
info
If you do not specify any directory, by default it takes present working directory as the input.
Scanning Non-standard files
- Sometimes you might have non-standard filenames for the dependencies, lockfiles. You can scan them as a supported package manifest with a non-standard name using the following command
vet scan --lockfiles /path/to/gradle-compileOnly.lock --lockfile-as gradle.lockfile
Scanning Multiple files
vet scan --lockfiles /path/to/gradle.lockfile --lockfiles requirements.txt
Scanning Parsers
vet currently has 10 scanning parsers for various dependencies formats including Go, Python, Java, etc.
❯ vet scan parsers
Available Lockfile Parsers
==========================
[0] buildscript-gradle.lockfile
[1] go.mod
[2] gradle.lockfile
[3] package-lock.json
[4] Pipfile.lock
[5] pnpm-lock.yaml
[6] poetry.lock
[7] pom.xml
[8] requirements.txt
[9] yarn.lock
Scan Options
Silent scan
vetsupports silent scan to prevent rendering UI using the following command with-sor--silentflag
vet scan -s --lockfiles demo-client-java/gradle.lockfile
Scan concurrency
- By default it set to
5, you can increase or decrease using the--concurrencyor-Cflag
❯ vet scan -C 10 --lockfiles demo-client-java/gradle.lockfile
Scanning packages ... done! [115 in 5.87s]
Scanning manifests ... done! [1 in 5.87s]
- You can see the difference between the above and below scan time with same file(s)
❯ vet scan -C 1 --lockfiles demo-client-java/gradle.lockfile
Scanning packages ... done! [115 in 10.567s]
Scanning manifests ... done! [1 in 10.567s]
Scanning transitive dependencies
- You can perform the transitive dependencies scan by running the following command with
--transitiveflag
vet scan --transitive --lockfiles demo-client-java/gradle.lockfile
- As you can see the above scan has found issues across
201libraries
Configuring transitive dependencies depth level
- You can change the transitive dependencies scan depth by running the following command with
--transitive-depthflag
vet scan --transitive --transitive-depth 5 --lockfiles demo-client-java/gradle.lockfile
- As you can see the above scan has found issues across
237libraries
info
By default if you don't specify the flag it takes 2 as depth