vet
scorecard
| vet | scorecard | |
|---|---|---|
| 20 | 35 | |
| 1,073 | 5,507 | |
| 4.6% | 1.7% | |
| 9.4 | 9.1 | |
| 1 day ago | 4 days ago | |
| Go | Go | |
| Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
vet
-
Show HN: Tips to stay safe from NPM supply chain attacks
For GitHub Actions, i found http://safedep.io/ to be helpful, not only it guard against known attacks, but also it has its own malware detection engine.
- Vet: Open-source software supply chain security tool
-
Tinycolor Supply Chain Attack Post-Mortem
- [GitHub - safedep/vet: Protect against malicious open source packages ](https://github.com/safedep/vet)
-
Ask HN: What Are You Working On? (June 2025)
I am working on a next-gen software composition analysis tool that can identify malicious open source packages through code analysis. Adopts a policy as code (CEL) approach to build security guardrails against risky OSS components using opinionated policies.
GitHub: https://github.com/safedep/vet
- Vet MCP: Software Composition Analysis for AI Code Editors
-
Malicious npm Package Impersonating Popular Express Cookie Parser
Our free and open source tool vet is integrated with the SafeDep Cloud Package Scanning Service and can be used to detect malicious packages before they are installed. vet-action is a GitHub Action that can be used to establish proactive guardrails against malicious open source packages in your GitHub Actions workflows.
-
How to Effectively Vet Your Supply Chain for Optimal Performance
Explore about SafeDep on GitHub - https://github.com/safedep/vet
-
Ask HN: How are you acquiring first 100 users?
Not sure if it’s relevant because you specifically mentioned about B2C.
For cyber security product, we took the open source route. We build our core technology in public as open source project.
https://github.com/safedep/vet
The commercial SaaS is for scaling and management. Our entire funnel is based on OSS. Folks who have already found value and is looking to scale their deployment.
This model works for us especially at our current stage where we are 100% engineering led.
-
Show HN: MCP-Shield – Detects security issues in MCP servers
May be try out vet as well: https://github.com/safedep/vet
vet is backed by a code analysis engine that performs malicious package (npm, pypi etc.) scanning. We recently extended it to support GitHub repository scanning as well.
It found the malicious behaviour in mcp-servers-example/bad-mcp-server.js
-
Agentic Analysis of Open Source Package Code for Malware
➡️ https://github.com/safedep/vet
scorecard
-
Hardening the Chain: Automating OpenSSF Scorecard for Linux Security 🛡️
OpenSSF Scorecard Official Site
- Show HN: Shouldiuse.dev – software dependency health checker
-
Bypassing GitHub Actions policies in the dumbest way possible
securityscorecard is easy to integrate (it's a cli tool or you run it as a github action), one of the checks it performs is "Pinned-Dependencies": https://github.com/ossf/scorecard/blob/main/docs/checks.md#p.... Checks that fail generate an security alert under Security -> Code scanning.
-
Popular GitHub Action tj-actions/changed-files is compromised
OpenSSF scorecard flags dependencies (including GitHub actions) which aren’t pinned by hash
https://scorecard.dev/
https://github.com/ossf/scorecard/blob/main/docs/checks.md#p...
-
Introducing OpenSSF Scorecard for OpenSauced
The OpenSSF Scorecard project is an effort to unify what best practices open source maintainers and consumers should use to judge if their code, practices, and dependencies are safe. Ultimately, the “scorecard” command line interface gives any the capability to inspect repositories, run “checks” against those repos, and derive an overall score for the risk profile of that project. It’s a very powerful software tool that gives you a general picture of where a piece of software is considered risky. It can also be a great starting point for any open source maintainer to develop better practices and find out where they may need to make improvements. By providing a standardized approach to assessing open source security and compliance, the Scorecard helps organizations more easily identify supply chain risks and regulatory requirements.
- Scorecard: Assess Open Source Project Security
-
Safe and Secure Consumption of Open Source Libraries
Scorecard checks are based on OpenSSF Scorecard Project
- Alert for Social Engineering Takeovers of Open Source Projects
-
Can some expert analyze a github repo and tell us if it's really safe or not?
For general open source hygiene, I'd recommend running OpenSSF scorecards on your github repo and following-up on anything it suggests. https://github.com/ossf/scorecard.
-
Securizing your GitHub org
The OSSF scorecard initiative is really good to assess your project against security best practices. I am not the first to write about this.
What are some alternatives?
cnspec - An open source, cloud-native security to protect everything from build to runtime
harden-runner - Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
secure-repo - Orchestrate GitHub Actions Security
openRiskScore - A python framework for risk scoring
vet-action - GitHub Action for policy driven vetting of open source dependencies
in-toto - in-toto is a framework to protect supply chain integrity.