vet scan
Scan and analyse package manifests
vet scan [flags]
Options
--code string Path to code analysis database generated by 'vet code scan'
--code-dependency-usage-evidence Enable dependency usage evidence during scan (default true)
-C, --concurrency int Number of concurrent analysis to run (default 5)
--defect-dojo-host-url string DefectDojo Host URL eg. http://localhost:8080
--defect-dojo-product-id int DefectDojo Product ID (default -1)
-D, --directory string The directory to scan for package manifests (default "/home/runner/work/vet/vet")
--enrich Enrich package metadata (almost always required) using Insights API (default true)
--exclude stringArray Name patterns to ignore while scanning
--experimental Enable experimental features in scanner
--fail-fast Fail fast when an issue is identified
--filter string Filter and print packages using CEL (DEPRECATED: use --policy instead)
--filter-fail Fail the scan if the filter match any package (security gate)
--filter-suite string Filter packages using CEL Filter Suite from file (DEPRECATED: use --policy-suite instead)
--filter-v2 string Filter and print packages using CEL with Insights v2 data model (alias for --policy)
--filter-v2-suite string Filter packages using CEL Filter Suite from file with Insights v2 data model (alias for --policy-suite)
--github stringArray Github repository URL (Example: https://github.com/{org}/{repo})
--github-org string Github organization URL (Example: https://github.com/safedep)
--github-org-exclude-repos stringArray Comma-separated list of GitHub repos to exclude during org scan (format: org/repo1,org/repo2)
--github-org-max-repo int Maximum number of repositories to process for the Github Org (default 1000)
-h, --help help for scan
--homebrew Enable scanning for Homebrew packages
--image string Image reference to run container image scanning (eg. node:latest)
--image-no-remote Disable container image pulling when not found locally
--insights-v2 Enrich package metadata using Insights V2 API
--json-dump-dir string Dump enriched package manifests as JSON files to dir
--lockfile-as string Parser to use for the lockfile (vet scan parsers to list)
-L, --lockfiles stringArray List of lockfiles to scan
--malware Enrich package metadata with active malware analysis results
--malware-analysis-min-confidence string Minimum confidence level for malicious package analysis result to fail fast (default "HIGH")
--malware-analysis-timeout duration Timeout for malicious package analysis (default 5m0s)
--malware-query Enrich package metadata with known malicious packages data (default true)
--malware-trust-tool-result Trust malicious package analysis tool result without verification record
-M, --manifests stringArray List of package manifest or archive to scan (example: jar:/tmp/foo.jar)
--no-verify-auth Do not verify auth token before starting scan
--policy string Filter and print packages using CEL with Policy Input schema
--policy-suite string Filter packages using CEL Filter Suite from file with Policy Input schema
--purl string PURL to scan
--report-cdx string Generate CycloneDX report to file
--report-cdx-app-name string Application name used as root application component in CycloneDX BOM
--report-console Print a report to the console
--report-csv string Generate CSV report of filtered packages
--report-defect-dojo Report to DefectDojo
--report-gitlab string Generate GitLab dependency scanning report to file
--report-graph string Generate dependency graph (if available) as dot files to directory
--report-html string Path to write HTML report output
--report-json string Generate consolidated JSON report to file (EXPERIMENTAL schema)
--report-markdown string Generate consolidated markdown report to file
--report-markdown-summary string Generate consolidate summary in markdown
--report-sarif string Generate SARIF report to file (*.sarif or *.sarif.json)
--report-sarif-malware Include malware in SARIF report (Enabled by default) (default true)
--report-sarif-vulns Include vulnerabilities in SARIF report (Enabled by default) (default true)
--report-sqlite3 string Generate SQLite3 database report to file
--report-sqlite3-append Append to existing SQLite3 database report
--report-sqlite3-overwrite Overwrite existing SQLite3 database report
--report-summary Print a summary report with actionable advice (default true)
--report-summary-group-by-direct-deps Group summary report by direct dependencies
--report-summary-max-advice int Maximum number of package risk advice to show (default 5)
--report-summary-used-only Show only packages that are used in code (requires code analysis)
--report-sync Enable syncing report data to cloud
--report-sync-multi-project Lazily create cloud sessions for multiple projects (per manifest)
--report-sync-project string Project name to use in cloud
--report-sync-project-version string Project stream name (e.g. branch) to use in cloud
-s, --silent Silent scan to prevent rendering UI
--skip-github-dependency-graph-api Do not use GitHub Dependency Graph API to fetch dependencies
--transitive Analyze transitive dependencies
--transitive-depth int Analyze transitive dependencies till depth (default 2)
--trusted-registry stringArray Trusted registry URLs to use for package manifest verification
--type string Parser to use for the artifact (vet scan parsers --experimental to list)
--vsx Read VSCode extensions from VSCode extensions directory
--vsx-dir stringArray VSCode extensions directory to scan (default: auto-detect)
Options inherited from parent commands
-d, --debug Show debug logs
-e, --exceptions string Load exceptions from file
--exceptions-extra strings Load additional exceptions from file
-l, --log string Write command logs to file, use - as for stdout
--no-banner Do not display the vet banner
-v, --verbose Show verbose logs
SEE ALSO
- vet - [ Establish trust in open source software supply chain ]
- vet scan parsers - List available lockfile parsers