dependencies.md

External Dependencies

safe does not install its scanner dependencies automatically.

This is intentional. A security tool cannot establish trust in the binaries it uses by downloading and running upstream installers on the user's behalf.

safe audit can use these external tools when they are already available:

Tool Purpose Upstream
OSV-Scanner Vulnerability scanning through OSV data https://github.com/google/osv-scanner
Syft SBOM generation https://github.com/anchore/syft
Grype Vulnerability scanning from SBOMs and filesystems https://github.com/anchore/grype
Socket CLI Package behavioral and supply-chain signal https://docs.socket.dev/docs/socket-cli
npm Node package audit support through npm audit https://docs.npmjs.com/cli/commands/npm-audit
Composer PHP package audit support through composer audit https://getcomposer.org/doc/03-cli.md#audit
govulncheck Go vulnerability checks https://github.com/golang/vuln
cargo-audit Rust vulnerability checks https://github.com/rustsec/rustsec/tree/main/cargo-audit
pip-audit Python vulnerability checks https://github.com/pypa/pip-audit

Install these tools through a channel you trust. That may be an OS package manager, a pinned release asset, a source build you reviewed, or an internal tooling image. The right choice depends on your threat model.

Project scans require the core scanners and only the ecosystem audit tools for ecosystems discovered in that project. Missing scanner coverage stops the scan by default; if you explicitly continue, the affected tool is shown as skipped and the result verdict is WARN.

After installing tools, ask safe to detect them:

safe doctor
safe audit setup

To copy an already-audited scanner set to another machine, create a local bundle:

safe audit setup --create-bundle ./scanners.tar.gz
safe audit setup remote-a --bundle ./scanners.tar.gz

The bundle path is a transport mechanism, not a trust mechanism. Create bundles only from machines and binaries you have already chosen to trust.