🕵️♂️ go_over
A tool to audit Erlang & Elixir dependency advisories as well as retired hex packages, to make sure your gleam projects really sparkle! ✨
🚨 NOTE: security advisories are NOT currently monitored for gleam dependencies. The language, while excellent, is far too new and niche
Install
gleam add --dev go_over
📣 Also!
- add
.go-over/
to your.gitignore
- make sure
git
is installed
Usage
gleam run -m go_over
🎥 Obligatory Asciinema
🏴 Flags
--skip
: will skip checking the cache and used the stored data no matter what--force
: will force pulling new data even if the cached data is still valid
⚙️ Config
Optional settings that can be added to your project’s gleam.toml
[go-over]
# disables caching if false (default: true)
cache = true
[go-over.ignore]
# list of package names to skip when checking for advisories & warnings
# default: []
packages = ["example_package"]
# list of warning severities to skip when checking for advisories & warnings
# default: []
# (case insensitive)
severity = ["example_moderate"]
# list of advisory IDs to skip when checking for advisories & warnings
# default: []
ids = ["GHSA-xxxx-yyyy-zzzz"]
⌛ Caching
- Security advisory data is cached for six hours
- hex.pm retired package data is cached for one hour
🖌️ Other Art
- As I’m sure is no surprise this tool is inspired by (and all around worse than) mirego/mix_audit. Please check it out!
- It also draws inspiration from mix hex.audit
License
This tool uses mirego/elixir-security-advisories which is it self licensed with BSD-3-Clause license
and CC-BY 4.0 open source license
. See their #license section
Code original to this repo is Licensed under MIT