Vekt - Supply Chain Security

About

Vekt shows you what package registries don't -- vulnerability data, maintainer history, and trust signals -- right on the page where you're evaluating a package.

WHAT IT DOES

When you visit a package page on any supported registry, Vekt adds a trust bar at the bottom of the screen showing:

  - Traffic light indicator (green/yellow/red) for instant risk assessment
  - Package name, version, and ecosystem
  - Click "Details" to expand the full trust panel

The trust panel shows:

  - OpenSSF Scorecard score
  - Vulnerability count from OSV.dev (CVEs, GHSAs, MAL-* malicious flags)
  - Weekly download count
  - Maintainer list with GitHub profile links and star counts
  - Dependency count
  - License information
  - Package publish date and version history
  - Provenance/SLSA attestation status
  - Warnings for abandoned packages, single maintainers, and large dependency trees

SUPPORTED REGISTRIES (9)

  - npm (npmjs.com)
  - PyPI (pypi.org)
  - And More!

PRIVACY

Vekt only sends the package ecosystem, name, and version to check for vulnerabilities. It never transmits your browsing history, page content, cookies, or any other data. Works in incognito without storing state. Full privacy policy: https://kief.dev/privacy

DATA SOURCES

  - OSV.dev (Google) for vulnerabilities and malicious package advisories
  - deps.dev (Google) for dependency graphs and OpenSSF Scorecard scores
  - Registry APIs (npm, PyPI, crates.io, RubyGems) for metadata and maintainers
  - GitHub API for maintainer profiles and star counts

FREE TO USE

The extension works without an account. Optional API key (free at kief.dev/vekt/signup) enables trust scoring and enriched data.

Built by Kief Studio (kief.studio). Source and documentation at kief.dev/vekt.

Category: Developer Tools

Language: English

Website: https://kief.dev/vekt

Privacy Policy URL: https://kief.dev/privacy