# Install vet with Homebrew

Policy driven vetting of open source dependencies. Version 1.17.5 via Homebrew; verified 2026-06-24.

## Install

```sh
sudo av install brew:vet
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install vet
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:vet
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/vet>
- **Version:** 1.17.5
- **Source summary:** Policy driven vetting of open source dependencies
- **Homepage:** <https://safedep.io/>
- **Repository:** <https://github.com/safedep/vet>
- **Upstream docs:** <https://docs.safedep.io/>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/safedep/vet/archive/refs/tags/v1.17.5.tar.gz>
- **Last updated:** 2026-06-24T14:11:35Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- vet (cli)
- vet (alias)

## Dependencies

- go

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.17.5
- Package-manager updated: 2026-06-24
- Local data: ok
- Upstream repository: https://github.com/safedep/vet
- Upstream latest detected: v1.17.5 (current)
## Project history and usage

SafeDep vet is an open-source software-composition-analysis CLI for dependency vetting. It scans repositories, manifests, SBOMs, package URLs, container images, and related inputs, enriches dependencies with risk data, and evaluates policy rules so teams can block vulnerable, malicious, unhealthy, or non-compliant open-source components.

### Project history

The public repository was created on December 30, 2022, with early development releases appearing in January 2023. The project grew around the post-SolarWinds and post-typosquatting supply-chain-security problem: application teams needed automated dependency review that could be enforced locally and in CI rather than handled as a manual checklist.

SafeDep documentation describes Vet as a free, open-source SCA scanner for malicious, vulnerable, and risky dependencies in code and CI/CD. Its policy approach uses CEL expressions and policy suites, tying it to the broader policy-as-code movement rather than only to fixed vulnerability reports.

### Adoption history

Vet's adoption path is integration-driven. The project documents use in local scans, arbitrary CI systems, and a native GitHub Action for policy-driven guardrails. Its README also lists multi-ecosystem support across common package managers, container images, SBOM formats, and source repositories, which makes it useful as a cross-language dependency gate.

As SafeDep expanded, Vet became the CLI engine for a larger supply-chain-security platform. Official materials connect the CLI to OSV, OpenSSF Scorecard, deps.dev, SafeDep malware intelligence, active malware analysis, SARIF/JSON/CSV reporting, and SafeDep Cloud.

### How it is used

Typical use starts with `vet scan -D /path/to/dir` to auto-discover known dependency manifests in a repository. Users can also scan a single manifest, a package URL, a Java archive, an OCI image, or an SBOM, then apply CEL filters or filter suites to fail a build when packages violate organization policy.

The tool is especially useful when teams want dependency governance to be versioned with the code. A repository can carry a YAML policy file that blocks critical vulnerabilities, disallowed licenses, low-maintenance projects, known malware indicators, or other package metadata conditions.

### Why package nerds care

Vet sits in the package-nerd sweet spot where registry metadata, vulnerability feeds, maintainer health, malware signals, and CI enforcement all meet. It is less about one ecosystem's lockfile and more about making open-source dependency choice auditable across ecosystems.

### Timeline

- 2022-12-30: GitHub repository created.
- 2023-01-12: Early v0.0.1-dev release published.
- 2026-06-24: GitHub page lists v1.17.5 as the latest release.
- 2020s: SafeDep documentation positions Vet as a policy-as-code SCA scanner integrated with CI/CD and supply-chain intelligence sources.

### Related projects

- SafeDep Cloud: hosted intelligence and policy services used with Vet.
- vet-action: the GitHub Action integration for running Vet in CI.
- OSV, OpenSSF Scorecard, deps.dev, Syft, and SLSA: ecosystem data and standards referenced by the project documentation and README.

### Sources

- <https://api.github.com/repos/safedep/vet>
- <https://api.github.com/repos/safedep/vet/releases?per_page=100>
- <https://docs.safedep.io/vet/advanced/policy-as-code>
- <https://docs.safedep.io/vet/concepts/why-vet>
- <https://docs.safedep.io/vet/quickstart>
- <https://github.com/safedep/vet>


## Security Notes

No matching local secret-handling manifest was found for vet. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: vet.yaml, vet.yml, .vet.yaml, .vet.yml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** vet
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Package ecosystem packages](https://www.automicvault.com/pkg/package-ecosystem-tools/) - Matched package manager, installer, dependency, registry, or publishing metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Runtime dependency declared by Homebrew.
- [chain-bench](https://www.automicvault.com/pkg/brew/chain-bench/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [zizmor](https://www.automicvault.com/pkg/brew/zizmor/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [minder](https://www.automicvault.com/pkg/brew/minder/) - Shares av.db curated category or tags: cli, policy-as-code, security, supply-chain-security.
- [opensca-cli](https://www.automicvault.com/pkg/brew/opensca-cli/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [parlay](https://www.automicvault.com/pkg/brew/parlay/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [ratchet](https://www.automicvault.com/pkg/brew/ratchet/) - Shares av.db curated category or tags: cli, security, supply-chain.
- [ratify](https://www.automicvault.com/pkg/brew/ratify/) - Shares av.db curated category or tags: cli, security, supply-chain, supply-chain-security.
- [retire](https://www.automicvault.com/pkg/brew/retire/) - Shares av.db curated category or tags: cli, dependency-analysis, security, software-composition-analysis.

## Combined YAML source

View the package source record on GitHub. [combined/vet.yml](https://github.com/automic-vault/db/blob/main/combined/vet.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
