Skip to main content
Common questions and troubleshooting tips for using vet effectively.

General Usage

How do I disable the banner?

Set the environment variable to disable the vet banner: 
export VET_DISABLE_BANNER=1

Something is wrong! How do I debug this?

Run vet with debug logging enabled to diagnose issues: 
vet scan -D /path/to/repo -l- -d

Installation and Setup

Which version of vet should I use?

Always use the latest stable version available: 
# Check current version
vet version

# Update via Homebrew (macOS/Linux)
brew upgrade safedep/tap/vet

# Or download latest from GitHub releases
# https://github.com/safedep/vet/releases

Does vet work offline?

vet requires internet connectivity to:
  • Download vulnerability data from OSV database
  • Fetch OpenSSF Scorecard information
  • Access package registry metadata
  • Communicate with SafeDep Cloud (if using cloud features)
For offline environments, consider using the JSON dump workflow to cache data locally.

What package managers does vet support?

vet supports a wide range of package managers:
  • package-lock.json (npm)
  • yarn.lock (Yarn)
  • pnpm-lock.yaml (pnpm)
  • requirements.txt
  • Pipfile.lock (Pipenv)
  • poetry.lock (Poetry)
  • pyproject.toml
  • pom.xml (Maven)
  • build.gradle (Gradle)
  • gradle.lockfile
  • go.mod
  • go.sum
  • Gemfile.lock (Ruby)
  • Cargo.lock (Rust)
  • composer.lock (PHP)
  • And many more…

Scanning and Analysis

Why is my scan taking so long?

Several factors can affect scan performance:
Use path exclusions to skip irrelevant directories:
vet scan -D . --exclude 'node_modules/*' --exclude 'test/*'
The scan fetches metadata from external sources. Slow internet can impact performance.
If using --malware, adjust the timeout:
vet scan -D . --malware --malware-analysis-timeout 5m
Initial scans may be slower as vet builds local caches.

No vulnerabilities found - is this correct?

If vet reports no vulnerabilities:
  1. Check the package versions - Ensure you’re scanning current dependency versions
  2. Verify manifest files - Confirm vet is finding and parsing your package manifests
  3. Check exclusions - Make sure you haven’t excluded relevant directories
  4. Review scan output - Look for any warnings or errors during scanning

How do I scan only specific files?

Use the -M flag to specify individual manifest files: 
# Single file
vet scan -M package-lock.json

# Multiple files
vet scan -M package-lock.json -M requirements.txt

Policy and Filtering

How do I create effective policies?

Follow these best practices for policy creation:
Begin with basic vulnerability checks:
--filter 'vulns.critical.size() > 0'
Test policies against known good and bad packages before deploying.
Start with warning-only mode before enforcing blocking policies.
Include comments in policy files explaining the rationale for each rule.

Why is my filter not working?

Common filter issues and solutions:
Verify CEL expression syntax:
# Correct
vulns.critical.size() > 0

# Incorrect
vulns.critical.length() > 0  # Use size(), not length()
Check the filter input specification to understand available fields.
Ensure your expression evaluates to true/false:
# Returns boolean
licenses.exists(p, p == "MIT")

# Returns array (won't work as filter)
licenses

Performance and Optimization

How can I speed up my scans?

Skip irrelevant directories:
vet scan -D . \
  --exclude 'test/*' \
  --exclude 'docs/*' \
  --exclude 'examples/*'
Target only relevant package files:
vet scan -M package-lock.json -M requirements.txt
Cache enriched data for repeated analysis:
vet scan -D . --json-dump-dir /tmp/cache
vet query --from /tmp/cache --filter 'your-filter'
For multiple projects, run scans in parallel or use CI/CD matrix builds.

CI/CD Integration

My GitHub Action is failing - what should I check?

Ensure you’re using the latest version of vet-action:
uses: safedep/vet-action@v1  # Use latest stable
Check GitHub token permissions:
permissions:
  contents: read
  security-events: write  # For SARIF upload
  pull-requests: write    # For PR comments
Verify required secrets are set if using SafeDep Cloud:
  • SAFEDEP_CLOUD_API_KEY
  • SAFEDEP_CLOUD_TENANT_DOMAIN

How do I handle false positives in CI?

Create an exceptions file for known false positives:
- name: Run vet with exceptions
  uses: safedep/vet-action@v1
  with:
    exception-file: '.github/vet-exceptions.yml'
Refine your filter expressions to reduce noise:
# Be more specific about severity
--filter 'vulns.critical.size() > 0'
# Instead of
--filter 'vulns.all.size() > 0'
Don’t fail builds while tuning policies:
with:
  fail-on-violation: false

Data and Privacy

What data does vet collect?

vet collects:
  • Package metadata from public registries
  • Vulnerability data from public databases (OSV, NVD)
  • OpenSSF Scorecard metrics from public repositories
  • No source code is ever analyzed or transmitted

Does vet send my code anywhere?

No. vet only analyzes package manifest files (like package-lock.json) and does not access or transmit your source code. All analysis is based on publicly available package metadata.

Can I use vet in air-gapped environments?

vet requires internet access for vulnerability data and package metadata. For air-gapped environments:
  1. Pre-cache data using the JSON dump workflow
  2. Use proxy servers to control external access
  3. Consider enterprise solutions for offline vulnerability databases

Troubleshooting

Common error messages and solutions

  • Check that you’re in the correct directory
  • Verify manifest files exist (package-lock.json, requirements.txt, etc.)
  • Use -M flag to specify files explicitly
  • Check internet connectivity
  • Verify firewall/proxy settings
  • Try again later (service might be temporarily unavailable)
  • Use path exclusions to reduce scope
  • Scan smaller directory trees
  • Increase available memory in CI/CD
  • Check CEL syntax
  • Verify field names in filter input spec
  • Test expressions incrementally

Getting More Help

Community Discord

Join our community for real-time help and discussions

GitHub Issues

Report bugs or search existing issues

Documentation

Comprehensive guides and API reference

Email Support

Direct support for complex issues
Can’t find your question here? Check our community page for more ways to get help!