Aspis is a package that helps you verify that the code in your project's dependencies contains exactly what's on their GitHub and no other malicious code.
NOTE: Aspis is still in early stage of development and might be missing some features.
To use Aspis, add it as a dependency in your project.
Once it's in your deps, you can run $ mix aspis.check
to see if any of
the dependencies pulled into your project contain code that differs from
the code on their GitHub.
To see the diff for a specific package, run $ mix aspis.diff <package name>
.
Both of these mix tasks will exit with a non-zero code if any problems are found - the dependencies differ from their github repository, the github repository itself could not be found or the right commit could not be identified by Aspis.
The package can be installed by adding aspis
to your list of
dependencies in mix.exs
:
def deps do
[
{:aspis, ">= 0.1.0", app: false, runtime: false, optional: true}
]
end
In order for Aspis to work correctly, you'll need git
and diff
programs in
your PATH
.
TODO (deps options and maybe other ways)
TODO (conventions, heuristics, git
and diff
)