safedep/vet

Overview

Vet is an open source tool that scans open source dependencies for malicious packages. It uses static analysis and community threat intelligence to detect known malware, typosquatting, and suspicious behavior in Go modules and other ecosystems.

Best for

Best for
Teams that want a lightweight, targeted check for malicious open source packages in their Go projects or CI pipelines.

Use cases

• Audit third-party dependencies for known malicious packages before adding them to a project
• Integrate into CI/CD pipelines to block builds that include flagged dependencies
• Scan existing lockfiles or manifests to identify compromised or suspicious packages

Notes

Vet is an open source tool that scans open source dependencies for malicious packages. It uses static analysis and community threat intelligence to detect known malware, typosquatting, and suspicious behavior in Go modules and other ecosystems.

1,059 stars on GitHub. Last updated 2026-06-01. Licensed Apache-2.0.

Use cases

• Audit third-party dependencies for known malicious packages before adding them to a project
• Integrate into CI/CD pipelines to block builds that include flagged dependencies
• Scan existing lockfiles or manifests to identify compromised or suspicious packages

Pros

• Focused specifically on malicious package detection, not general vulnerability scanning
• Written in Go, making it fast and easy to run in CI or locally
• Leverages community threat feeds for up-to-date detection

Cons

• Limited to ecosystems supported by its analysis engine (primarily Go, with partial support for others)
• Relies on external threat feeds, which may have gaps or delays for novel attacks
• No built-in remediation or dependency update suggestions

Indexed from awesome-mcp-servers-punkpeye and enriched against its public facts.