Enterprise DNA
M MCP Servers Developer low

safedep/vet

by Various

Protect against malicious open source packages 🤖

S

MCP

safedep/vet

Added 1 June 2026

#devsecops #golang #hacktoberfest #npm #policy-as-code #pypi #rubygems #security

Overview

Vet is an open source tool that scans open source dependencies for malicious packages. It uses static analysis and community threat intelligence to detect known malware, typosquatting, and suspicious behavior in Go modules and other ecosystems.

Best for

Best for
Teams that want a lightweight, targeted check for malicious open source packages in their Go projects or CI pipelines.

Use cases

  • Audit third-party dependencies for known malicious packages before adding them to a project
  • Integrate into CI/CD pipelines to block builds that include flagged dependencies
  • Scan existing lockfiles or manifests to identify compromised or suspicious packages

How to use

Install

npm install -g @safedep/vet

Tested with

VS Code

Notes

Vet is an open source tool that scans open source dependencies for malicious packages. It uses static analysis and community threat intelligence to detect known malware, typosquatting, and suspicious behavior in Go modules and other ecosystems.

1,059 stars on GitHub. Last updated 2026-06-01. Licensed Apache-2.0.

Use cases

  • Audit third-party dependencies for known malicious packages before adding them to a project
  • Integrate into CI/CD pipelines to block builds that include flagged dependencies
  • Scan existing lockfiles or manifests to identify compromised or suspicious packages

Pros

  • Focused specifically on malicious package detection, not general vulnerability scanning
  • Written in Go, making it fast and easy to run in CI or locally
  • Leverages community threat feeds for up-to-date detection

Cons

  • Limited to ecosystems supported by its analysis engine (primarily Go, with partial support for others)
  • Relies on external threat feeds, which may have gaps or delays for novel attacks
  • No built-in remediation or dependency update suggestions

Indexed from awesome-mcp-servers-punkpeye and enriched against its public facts.

Pros

  • Focused specifically on malicious package detection, not general vulnerability scanning
  • Written in Go, making it fast and easy to run in CI or locally
  • Leverages community threat feeds for up-to-date detection

Cons

  • Limited to ecosystems supported by its analysis engine (primarily Go, with partial support for others)
  • Relies on external threat feeds, which may have gaps or delays for novel attacks
  • No built-in remediation or dependency update suggestions
Free 27-page guide

Get the free Developer’s Field Guide

A 27-page field guide to the AI coding workflow with Claude. Claude Code, MCP servers, the prompt patterns that work, and what to delegate. Free.

Enter your work email. We send it straight over, plus a few short notes worth knowing. Unsubscribe any time.

No spam. Unsubscribe any time.

Running a business, not writing the code? See the MCP servers picked for operators, and get your first one wired up with us.

Operator picks