mcplist
SA

SafeDep

Created 5 months ago

Enterprise grade open source software supply chain security tool for developers and security engineers.

Visit Homepage
development security open source supply chain mcp

What is SafeDep?

SafeDep `vet-mcp` helps in vetting open source packages for security risksβ€”such as vulnerabilities and malicious codeβ€”before they're used in your project, especially with AI-generated code suggestions.

Documentation

🎯 Why vet?

70-90% of modern software constitute code from open sources β€” How do we know if it's safe? vet is an open source software supply chain security tool built for developers and security engineers who need: βœ… Next-gen Software Composition Analysis β€” Vulnerability and malicious package detection βœ… Policy as Code β€” Express opinionated security policies using CEL βœ… Real-time malicious package detection β€” Powered by SafeDep Cloud active scanning βœ… Multi-ecosystem support β€” npm, PyPI, Maven, Go, Docker, GitHub Actions, and more βœ… CI/CD native β€” Built for DevSecOps workflows with support for GitHub Actions, GitLab CI, and more βœ… MCP Server β€” Run vet as a MCP server to vet open source packages from AI suggested code βœ… Agents β€” Run AI agents to query and analyze scan results

⚑ Quick Start

Install in seconds:

brew install safedep/tap/vet

or download a pre-built binary

Scan your project:

vet scan -D .\n\n# Scan a single file
vet scan -M package-lock.json\n\n# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail\n\n# Fail CI on OpenSSF Scorecard requirements
vet scan -D . --filter 'scorecard.scores.Maintained < 5' --filter-fail\n\n# Fail CI if a package is published from a GitHub repository with less than 5 stars
vet scan -D . --filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 5)' --filter-fail

πŸ”’ Key Features# πŸ•΅οΈ Code Analysis

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for more details.\n\n### πŸ›‘οΈ Malicious Package Detection Integrated with SafeDep Cloud for real-time protection against malicious packages in the wild. Free for open source projects. Fallback to Query Mode when API key is not provided. Read more about malicious package scanning.\n\n### πŸ“‹ Policy as Code Define security policies using CEL expressions to enforce context specific security requirements.

vet scan \
- -filter 'vulns.critical.exists(p, true)'\n\n# Enforce license compliance
vet scan \
- -filter 'licenses.contains_license("GPL-3.0")'\n\n# Enforce OpenSSF Scorecard requirements\n\n# Require minimum OpenSSF Scorecard scores
vet scan \
- -filter 'scorecard.scores.Maintained < 5'
```\n\n### 🎯 **Multi-Format Support**
- **Package Managers**: npm, PyPI, Maven, Go, Ruby, Rust, PHP
- **Container Images**: Docker, OCI
- **SBOMs**: CycloneDX, SPDX
- **Binary Artifacts**: JAR files, Python wheels
- **Source Code**: Direct repository scanning

## πŸ€– **MCP Server**
**vet** can be used as an MCP server to vet open source packages from AI suggested code.
```bash\n\n# Start the MCP server with SSE transport
vet server mcp --server-type sse

For more details, see vet MCP Server documentation.

Server Config 

{
  "mcpServers": {
    "safedep-server": {
      "command": "npx",
      "args": [
        "safedep"
      ]
    }
  }
}

Links & Status

Repository: github.com
Hosted: No
Global: No
Official: Yes

Project Info

Hosted Featured
Created At: Jul 02, 2025
Updated At: Aug 07, 2025
Author: SafeDep
Category: official
License: MIT License
Tags:
development security open source