Skip to content


Protect against vulnerable and malicious Open Source Software (OSS) dependencies using policy as code based guardrails
Star (1)

SafeDep GitHub Action

Created and maintained by with contributions from the community 🚀

CodeQL Analysis Continue Integration vet OSS Components

GitHub Action for integrating vet in your workflow. Provides active protection against vulnerable, outdated, unpopular and malicious OSS dependencies using policy as code based guardrails.

Example Screenshot


Follow setup instructions for step by step guide on how to integrate vet in your GitHub repository with customizable policies

Quick Start

Follow quickstart if you want to integrate vet as a step in your existing GitHub actions workflow. Look at Setup Instructions for step by step guide on how to integrate vet in your GitHub repository

TLDR; add this GitHub action to vet your changed dependencies during pull request

- name: Run vet
  id: vet
    contents: read
    issues: write
    pull-requests: write
  uses: safedep/vet-action@v1
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The output of vet-action is a SARIF report that can be uploaded to GitHub Code Scanning

Note: upload-sarif action requires GitHub Code Scanning to be enabled. This is available for public repositories and for private repositories with GitHub Advanced Security enabled.

- name: Upload SARIF
    contents: read
    security-events: write
  uses: github/codeql-action/upload-sarif@v3
    sarif_file: ${{ }}
    category: vet

Setup Instructions

Follow this instruction to integrate vet as a GitHub action in your GitHub repository

  • Go to the root directory of your GitHub repository
  • Create the workflow and policy directory
mkdir -p .github/workflows .github/vet
  • Download the policy file into the policy directory
curl -o .github/vet/policy.yml -L
  • Download vet GitHub Action workflow
curl -o .github/workflows/vet-ci.yml -L
  • Review the policy file in .github/vet/policy.yml and edit as required
  • Push / PR your changes into the repository

Cloud Mode

vet-action provides integration with SafeDep Cloud. By leveraging SafeDep Cloud, vet and vet-action provides additional services such as Malicious Package Analysis.

To use SafeDep Cloud integration, you need

  • SafeDep Cloud Tenant Domain (e.g.
  • SafeDep Cloud API Key (e.g. sfd_01234567890abcdefghijk)

Refer to SafeDep Cloud Quickstart guide on getting the required information for activating cloud integration.


vet-action accepts following additional configuration for customizing how vet is invoked during scan

GitHub Action Input Example Value Notes
policy policies/sample.yml Path to vet YAML policy file (filter suite)
exception-file config/exceptions.yml Path to vet exception YAML file
trusted-registries, , separated string of registry base URLs
timeout 300 Max time in seconds to wait for external services
cloud true Enable integration with SafeDep Cloud
cloud-tenant SafeDep Cloud Tenant Domain
cloud-key sfd_xxxx SafeDep Cloud API Key
upload-sarif true Upload SARIF report as artifact on push
add-step-summary true Add job step summary report on push
enable-comments-proxy false Enable Comments Proxy Server to create comments on GitHub PRs

Comments Proxy Server

The enable-comments-proxy configuration can be used to enable Comments Proxy Server to create comments on GitHub PRs. This is required when the action is invoked in a PR from a forked repository due to limitation on $GITHUB_TOKEN. See ghcp for more details.

SECURITY NOTE: Comments proxy uses $GITHUB_TOKEN for authentication to verify the request is from a GitHub Actions workflow associated with the repository. When enable, vet-action will call Comments Proxy Server with $GITHUB_TOKEN available in the workflow. This will be used ONLY when vet-action fails to call GitHub API due to the limitation on $GITHUB_TOKEN.

Trusted Registries

The trusted-registries configuration can be used to add specific registry URLs into allow list while checking for lockfile inconsistencies. Example:

trusted-registries: |



Refer to development documentation

SafeDep is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.


Protect against vulnerable and malicious Open Source Software (OSS) dependencies using policy as code based guardrails

SafeDep is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.