Hoplon is a package that helps you verify that the code in your project's dependencies contains exactly what's on their GitHub and no other malicious code.
Check out nietaki/suffixer to see how it works in practice.
NOTE: Hoplon is still in early stage of development and might not be stable enough for your needs.
Usage
To use Hoplon, add it as a dependency in your project.
Once it's in your deps, you can run $ mix hoplon.check
to see if any of
the dependencies pulled into your project contain code that differs from
the code on their GitHub.
To see the diff for a specific package, run $ mix hoplon.diff <package name>
.
Both of these mix tasks will exit with a non-zero code if any problems are found - the dependencies differ from their github repository, the github repository itself could not be found or the right commit could not be identified by Hoplon.
Installation
The package can be installed by adding hoplon
to your list of
dependencies in mix.exs
:
def deps do
[
{:hoplon, ">= 0.3.0", app: false, runtime: false, optional: true}
]
end
In order for Hoplon to work correctly, you'll need git
and diff
programs in
your PATH
.
FAQ
How do I know Hoplon is not malicious itself?
TODO (deps options and maybe other ways)
How does it work?
TODO (conventions, heuristics, git
and diff
)