Automic VaultAutomic Vault

brew

Install vet with Homebrew

Policy driven vetting of open source dependencies. Version 1.17.5 via Homebrew; verified 2026-06-24.

install

Additional install commands

macOS

Homebrewverified ยท 100%
brew install vet

local Homebrew formula metadata

overview

Package summary

Policy driven vetting of open source dependencies

Commands and aliases

  • vet

history

Project history and usage

SafeDep vet is an open-source software-composition-analysis CLI for dependency vetting. It scans repositories, manifests, SBOMs, package URLs, container images, and related inputs, enriches dependencies with risk data, and evaluates policy rules so teams can block vulnerable, malicious, unhealthy, or non-compliant open-source components.

Project history

The public repository was created on December 30, 2022, with early development releases appearing in January 2023. The project grew around the post-SolarWinds and post-typosquatting supply-chain-security problem: application teams needed automated dependency review that could be enforced locally and in CI rather than handled as a manual checklist.

SafeDep documentation describes Vet as a free, open-source SCA scanner for malicious, vulnerable, and risky dependencies in code and CI/CD. Its policy approach uses CEL expressions and policy suites, tying it to the broader policy-as-code movement rather than only to fixed vulnerability reports.

Adoption history

Vet's adoption path is integration-driven. The project documents use in local scans, arbitrary CI systems, and a native GitHub Action for policy-driven guardrails. Its README also lists multi-ecosystem support across common package managers, container images, SBOM formats, and source repositories, which makes it useful as a cross-language dependency gate.

As SafeDep expanded, Vet became the CLI engine for a larger supply-chain-security platform. Official materials connect the CLI to OSV, OpenSSF Scorecard, deps.dev, SafeDep malware intelligence, active malware analysis, SARIF/JSON/CSV reporting, and SafeDep Cloud.

How it is used

Typical use starts with `vet scan -D /path/to/dir` to auto-discover known dependency manifests in a repository. Users can also scan a single manifest, a package URL, a Java archive, an OCI image, or an SBOM, then apply CEL filters or filter suites to fail a build when packages violate organization policy.

The tool is especially useful when teams want dependency governance to be versioned with the code. A repository can carry a YAML policy file that blocks critical vulnerabilities, disallowed licenses, low-maintenance projects, known malware indicators, or other package metadata conditions.

Why package nerds care

Vet sits in the package-nerd sweet spot where registry metadata, vulnerability feeds, maintainer health, malware signals, and CI enforcement all meet. It is less about one ecosystem's lockfile and more about making open-source dependency choice auditable across ecosystems.

Timeline

  • 2022-12-30: GitHub repository created.
  • 2023-01-12: Early v0.0.1-dev release published.
  • 2026-06-24: GitHub page lists v1.17.5 as the latest release.
  • 2020s: SafeDep documentation positions Vet as a policy-as-code SCA scanner integrated with CI/CD and supply-chain intelligence sources.

Related projects

  • SafeDep Cloud: hosted intelligence and policy services used with Vet.
  • vet-action: the GitHub Action integration for running Vet in CI.
  • OSV, OpenSSF Scorecard, deps.dev, Syft, and SLSA: ecosystem data and standards referenced by the project documentation and README.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for vet. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 1 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
vet.yamlvet.yml.vet.yaml.vet.yml

executables

Installed executables

CommandKindExposureNote
vetcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.17.5
manager updated2026-06-24
local dataok
upstreamcurrent
latest detectedv1.17.5

https://github.com/safedep/vet

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:vet
Version1.17.5
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/vet
Homepagehttps://safedep.io/
Repositoryhttps://github.com/safedep/vet
Upstream docshttps://docs.safedep.io/
LicenseApache-2.0
Source archivehttps://github.com/safedep/vet/archive/refs/tags/v1.17.5.tar.gz
Last updated2026-06-24T14:11:35Z
Pulseupdated
Dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namevet
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment