🕵️‍♂️ go_over

A tool to audit Erlang & Elixir dependency advisories as well as retired hex packages, to make sure your gleam projects really sparkle! ✨

🚨 NOTE: security advisories are NOT currently monitored for gleam dependencies. The language, while excellent, is far too new and niche

Install

gleam add --dev go_over

📣 Also!

• add .go-over/ to your .gitignore
• make sure git is installed

Usage

gleam run -m go_over

🎥 Obligatory Asciinema

🏴 Flags

• --skip: will skip checking the cache and used the stored data no matter what
• --force: will force pulling new data even if the cached data is still valid

⚙️ Config

Optional settings that can be added to your project’s gleam.toml

[go-over]
# disables caching (default: true)
cache = true

[go-over.ignore]
# list of package names to skip when checking for advisories & warnings (default: [])
packages = ["example_package"]
# list of warning severities to skip when checking for advisories & warnings (case insensitive) (default: [])
severity = ["example_moderate"]
# list of advisory IDs to skip when checking for advisories & warnings (default: [])
ids = ["GHSA-xxxx-yyyy-zzzz"]

⌛ Caching

• Security advisory data is cached for six hours
• hex.pm retired package data is cached for one hour

🖌️ Other Art

• As I’m sure is no surprise this tool is inspired by (and all around worse than) mirego/mix_audit. Please check it out!
• It also draws inspiration from mix hex.audit

License

This tool uses mirego/elixir-security-advisories which is it self licensed with BSD-3-Clause license and CC-BY 4.0 open source license. See their #license section

Code original to this repo is Licensed under MIT