vet
scorecard
| vet | scorecard | |
|---|---|---|
| 17 | 33 | |
| 523 | 4,968 | |
| 25.6% | 1.1% | |
| 9.3 | 9.3 | |
| 5 days ago | 11 days ago | |
| Go | Go | |
| Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
vet
-
Ask HN: What Are You Working On? (June 2025)
I am working on a next-gen software composition analysis tool that can identify malicious open source packages through code analysis. Adopts a policy as code (CEL) approach to build security guardrails against risky OSS components using opinionated policies.
GitHub: https://github.com/safedep/vet
- Vet MCP: Software Composition Analysis for AI Code Editors
-
Malicious npm Package Impersonating Popular Express Cookie Parser
Our free and open source tool vet is integrated with the SafeDep Cloud Package Scanning Service and can be used to detect malicious packages before they are installed. vet-action is a GitHub Action that can be used to establish proactive guardrails against malicious open source packages in your GitHub Actions workflows.
-
How to Effectively Vet Your Supply Chain for Optimal Performance
Explore about SafeDep on GitHub - https://github.com/safedep/vet
-
Ask HN: How are you acquiring first 100 users?
Not sure if it’s relevant because you specifically mentioned about B2C.
For cyber security product, we took the open source route. We build our core technology in public as open source project.
https://github.com/safedep/vet
The commercial SaaS is for scaling and management. Our entire funnel is based on OSS. Folks who have already found value and is looking to scale their deployment.
This model works for us especially at our current stage where we are 100% engineering led.
-
Show HN: MCP-Shield – Detects security issues in MCP servers
May be try out vet as well: https://github.com/safedep/vet
vet is backed by a code analysis engine that performs malicious package (npm, pypi etc.) scanning. We recently extended it to support GitHub repository scanning as well.
It found the malicious behaviour in mcp-servers-example/bad-mcp-server.js
-
Agentic Analysis of Open Source Package Code for Malware
➡️ https://github.com/safedep/vet
-
Scanning Open Source Packages for Malicious Code 🚨
Malicious code in open sources is real and people get hacked due to it as we have seen with changed-files incident, ultralytics hack and multiple such incidents. vet now supports identification of malicious OSS packages through active code analysis.
- Show HN: Scan GitHub Actions for Malicious Code
-
Popular GitHub Action tj-actions/changed-files is compromised
I think the conventional approach of checking for vulnerabilities in 3rd party dependencies by querying CVE or some other database has set the current behaviour i.e. if its not vulnerable it must be safe. This implicit trust on vulnerability databases has been exploited in the wild to push malicious code to downstream users.
I think we will see security tools shifting towards "code" as the source of truth when making safety and security decision about 3rd party packages instead of relying only on known vulnerability databases.
Take a look at vet, we are working on active code analysis of OSS packages (+ transitive dependencies) to look for malicious code: https://github.com/safedep/vet
scorecard
- Show HN: Shouldiuse.dev – software dependency health checker
-
Bypassing GitHub Actions policies in the dumbest way possible
securityscorecard is easy to integrate (it's a cli tool or you run it as a github action), one of the checks it performs is "Pinned-Dependencies": https://github.com/ossf/scorecard/blob/main/docs/checks.md#p.... Checks that fail generate an security alert under Security -> Code scanning.
-
Popular GitHub Action tj-actions/changed-files is compromised
OpenSSF scorecard flags dependencies (including GitHub actions) which aren’t pinned by hash
https://scorecard.dev/
https://github.com/ossf/scorecard/blob/main/docs/checks.md#p...
-
Introducing OpenSSF Scorecard for OpenSauced
The OpenSSF Scorecard project is an effort to unify what best practices open source maintainers and consumers should use to judge if their code, practices, and dependencies are safe. Ultimately, the “scorecard” command line interface gives any the capability to inspect repositories, run “checks” against those repos, and derive an overall score for the risk profile of that project. It’s a very powerful software tool that gives you a general picture of where a piece of software is considered risky. It can also be a great starting point for any open source maintainer to develop better practices and find out where they may need to make improvements. By providing a standardized approach to assessing open source security and compliance, the Scorecard helps organizations more easily identify supply chain risks and regulatory requirements.
- Scorecard: Assess Open Source Project Security
-
Safe and Secure Consumption of Open Source Libraries
Scorecard checks are based on OpenSSF Scorecard Project
- Alert for Social Engineering Takeovers of Open Source Projects
-
Can some expert analyze a github repo and tell us if it's really safe or not?
For general open source hygiene, I'd recommend running OpenSSF scorecards on your github repo and following-up on anything it suggests. https://github.com/ossf/scorecard.
-
Securizing your GitHub org
The OSSF scorecard initiative is really good to assess your project against security best practices. I am not the first to write about this.
- OpenSSF Scorecard – Build better security habits, one test at a time
What are some alternatives?
solarsploit - Red team tool that emulates the SolarWinds CI compromise attack vector.
harden-runner - Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. It monitors network egress, file integrity, and process activity on those runners, detecting threats in real-time.
cnspec - An open source, cloud-native security to protect everything from build to runtime
openRiskScore - A python framework for risk scoring
minefield - Graphing SBOM's Fast.
cli - Snyk CLI scans and monitors your projects for security vulnerabilities.