macOS
brew install vetlocal Homebrew formula metadata
brew
Policy driven vetting of open source dependencies. Version 1.17.5 via Homebrew; verified 2026-06-24.
install
brew install vetlocal Homebrew formula metadata
overview
Policy driven vetting of open source dependencies
history
SafeDep vet is an open-source software-composition-analysis CLI for dependency vetting. It scans repositories, manifests, SBOMs, package URLs, container images, and related inputs, enriches dependencies with risk data, and evaluates policy rules so teams can block vulnerable, malicious, unhealthy, or non-compliant open-source components.
The public repository was created on December 30, 2022, with early development releases appearing in January 2023. The project grew around the post-SolarWinds and post-typosquatting supply-chain-security problem: application teams needed automated dependency review that could be enforced locally and in CI rather than handled as a manual checklist.
SafeDep documentation describes Vet as a free, open-source SCA scanner for malicious, vulnerable, and risky dependencies in code and CI/CD. Its policy approach uses CEL expressions and policy suites, tying it to the broader policy-as-code movement rather than only to fixed vulnerability reports.
Vet's adoption path is integration-driven. The project documents use in local scans, arbitrary CI systems, and a native GitHub Action for policy-driven guardrails. Its README also lists multi-ecosystem support across common package managers, container images, SBOM formats, and source repositories, which makes it useful as a cross-language dependency gate.
As SafeDep expanded, Vet became the CLI engine for a larger supply-chain-security platform. Official materials connect the CLI to OSV, OpenSSF Scorecard, deps.dev, SafeDep malware intelligence, active malware analysis, SARIF/JSON/CSV reporting, and SafeDep Cloud.
Typical use starts with `vet scan -D /path/to/dir` to auto-discover known dependency manifests in a repository. Users can also scan a single manifest, a package URL, a Java archive, an OCI image, or an SBOM, then apply CEL filters or filter suites to fail a build when packages violate organization policy.
The tool is especially useful when teams want dependency governance to be versioned with the code. A repository can carry a YAML policy file that blocks critical vulnerabilities, disallowed licenses, low-maintenance projects, known malware indicators, or other package metadata conditions.
Vet sits in the package-nerd sweet spot where registry metadata, vulnerability feeds, maintainer health, malware signals, and CI enforcement all meet. It is less about one ecosystem's lockfile and more about making open-source dependency choice auditable across ecosystems.
security posture
No matching local secret-handling manifest was found for vet. Nucleus package metadata is still published here so future coverage has a stable package URL.
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
vet.yamlvet.yml.vet.yaml.vet.ymlexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
vet | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://github.com/safedep/vet
install metadata
| Package key | brew:vet |
|---|---|
| Version | 1.17.5 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/vet |
| Homepage | https://safedep.io/ |
| Repository | https://github.com/safedep/vet |
| Upstream docs | https://docs.safedep.io/ |
| License | Apache-2.0 |
| Source archive | https://github.com/safedep/vet/archive/refs/tags/v1.17.5.tar.gz |
| Last updated | 2026-06-24T14:11:35Z |
| Pulse | updated |
| Dependencies | go |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | vet |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.