Open Source component vulnerabilities and other risks are often hard to fix, especially for unsupported or unmaintained projects. Establishing secure guardrails to prevent risky components, especially introduced as transitive dependencies, from getting into a software project is critical. In this talk, we will look at the policy as code features of vet and how to leverage it to set up OSS component vetting in pull request flows. We will also touch upon some of the advanced features of vet such as dependency graph reconstruction, upgrade advice, code analysis etc.
https://github.com/safedep/vet
