VLT provides powerful security analysis capabilities through integration with Socket, enabling you to identify and assess security risks in your dependencies. This guide covers how to use VLT’s security-focused selectors to detect malware, vulnerabilities, and other security issues.
Quick Security Scan
Check for Any Malware
The simplest way to check for malware in your dependencies is using
the parameterless :malware selector:
$ vlt query ':malware'This command finds packages with medium or higher severity malware alerts (critical, high, medium) but excludes low-severity alerts to focus on more serious threats.
Check for All Security Issues
Get a comprehensive overview of all security-related packages:
$ vlt query ':scanned'This shows all packages that have been analyzed by Socket’s security scanning.
Malware Detection
Severity-Based Detection
VLT categorizes malware alerts into four severity levels:
- Critical (0) - Immediate security threat
- High (1) - Serious security risk
- Medium (2) - Moderate security concern
- Low (3) - Minor security note
# Find critical malware only$ vlt query ':malware(critical)'
# Find high severity and above
$ vlt query ':malware(">=high")'
# Find specific severity levels
$ vlt query ':malware(medium)'
# Include low severity alerts
$ vlt query ':malware(low)'[!NOTE] Low severity malware alerts are AI-generated and may detect benign behavior.
Advanced Malware Queries
# Find direct dependencies with malware$ vlt query ':root > :malware'
# Find malware in production dependencies
$ vlt query ':prod :malware'
# Find malware in workspaces
$ vlt query ':workspace :malware'Vulnerability Detection
CVE, CWE, and Severity-Based Searches
# Find packages affected by specific CVEs$ vlt query ':cve(CVE-2023-1234)'
# Find packages with specific weakness types (CWE)
$ vlt query ':cwe(CWE-79)'
# Find packages based on CVE severity
$ vlt query ':severity(critical)' $ vlt query ':severity(">medium")'Behavioral Security Risks
Code Execution Risks
# Dynamic code execution$ vlt query ':eval'
# Shell access
$ vlt query ':shell'
# Install scripts
$ vlt query ':scripts'Data Access Risks
# File system access$ vlt query ':fs'
# Network access
$ vlt query ':network'
# Environment variables
$ vlt query ':env'Code Quality Concerns
# Obfuscated code$ vlt query ':obfuscated'
# Minified code
$ vlt query ':minified'
# High entropy strings
$ vlt query ':entropic'Package Trust & Maintenance
Package Legitimacy
# Typosquatting detection$ vlt query ':squat(critical)'
# Abandoned packages
$ vlt query ':abandoned'
# Manifest confusion
$ vlt query ':confused'Maintenance Status
# Deprecated packages$ vlt query ':deprecated'
# Unmaintained packages
$ vlt query ':unmaintained'
# Unstable ownership
$ vlt query ':unstable'License Compliance
License Issues
# Unlicensed packages$ vlt query ':license(unlicensed)'
# Restricted licenses
$ vlt query ':license(restricted)'
# Copyleft licenses
$ vlt query ':license(copyleft)'Security Scoring
# Find packages with low overall security scores$ vlt query ':score("<0.5")'
# Find packages with low vulnerability scores$ vlt query ':score("<0.7", "vulnerability")'
# Find packages with low maintenance scores$ vlt query ':score("<0.6", "maintenance")'Comprehensive Security Audit
# Multi-criteria security check - combine multiple selectors$ vlt query ':malware, :eval, :shell, :obfuscated'
# Production dependencies security audit$ vlt query ':prod (:malware, :cve(*), :deprecated, :abandoned)'
# Workspace security overview$ vlt query ':workspace (:malware, :score("<0.5"), :unmaintained)'Cross-Project Security Analysis
Cross-Project Security Scanning
# Scan multiple projects using host-context$ vlt query ':host-context(local) :malware'
# Specific project security check$ vlt query ':host-context("file:~/my-project") :malware'Best Practices
Regular Security Audits
- Daily Quick Check:
vlt query ':malware' - Weekly Comprehensive Scan:
vlt query ':host-context(local) :is(:malware, :not(:scanned))' - Before Releasing Projects:
vlt query ':root :is(:malware, :score("<0.6"))'
Automated Security Monitoring
Consider integrating these queries into your CI/CD pipeline:
#!/bin/bash# Exit with error if any malware is found (using --expect-results)vlt query ':malware' --expect-results=0 || {echo "WARNING: Malware detected in dependencies!"vlt query ':malware'exit 1}
# Alternative: Traditional approach with jq
if vlt query ':malware' --view=json | jq -e '.nodes | length > 0';then echo "WARNING: Malware detected in dependencies!" vlt query':malware' exit 1 fiAutomation with —expect-results
The --expect-results flag is perfect for CI/CD pipelines and
automated security checks:
# Security gates that fail builds if issues are found$ vlt query ':malware' --expect-results=0$ vlt query ':cwe(1333)' --expect-results=0 # CWE-1333 is a ReDoS vulnerability$ vlt query ':deprecated' --expect-results=0
# Quality gates with thresholds
$ vlt query ':score("<0.5")' --expect-results=0 $ vlt query':unmaintained' --expect-results="<3"
# Ensure security scans are working
$ vlt query ':workspace' --expect-results=">0"Security-First Development
- Always check new dependencies:
vlt query '#<new-package>:malware, #<new-package> :malware' - Monitor transitive dependencies:
vlt query ':root > * :malware' - Regular maintenance updates:
vlt query ':deprecated, :unmaintained'
Understanding Security Data
Security data is provided by Socket and requires network access to fetch the latest threat intelligence. The first query may take longer as security metadata is downloaded and cached locally.
For more detailed information about specific security selectors, see the Dependency Selector Syntax reference.