Skip to content
decentralized package security audit network of trust
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
assets Add logo(s) to the docs. Apr 18, 2018
config Rename aspis to hoplon, part 1: string occurrences Apr 14, 2018
guides Add mix hoplon.trusted_keys add Apr 21, 2019
lib
scripts Add an integration test (#35) Feb 28, 2019
src/generated ASN.1 infrastructure (#39) Apr 9, 2019
test Make base upload path configurable May 6, 2019
.formatter.exs
.gitignore ASN.1 infrastructure (#39) Apr 9, 2019
.travis.yml
LICENSE.txt Change the license to Apache (#31) Feb 27, 2019
README.md Update README to reflect current state of affairs and goals May 16, 2019
dialyzer_ignore.exs ASN.1 infrastructure (#39) Apr 9, 2019
mix.exs Add jason. Create an api client May 5, 2019
mix.lock

README.md

Hoplon

Hoplon is a package that helps you verify that the code in your project's dependencies contains exactly what's on their GitHub and no other malicious code.

Hoplon is a set of tools to create and share signed "audits" describing the security status of hexpm (or other) packages. It allows you to maintain a collection of "trusted keys" - people whose audits you can fetch and take into account when assessing packages you (want to) use.

See CodeBEAM STO presentation slides for details. Video of the talk coming soon.

travis badge Hex.pm docs

Usage

There is no current version of hoplon on hex.pm, you need to get it from github:

defp deps do
  [
    {:hoplon, github: "nietaki/hoplon"},
  ]
end

After you add it to your dependencies, you gain access to the relevant hoplon tasks. The currently relevant hoplon tasks are mix hoplon.fetch, mix hoplon.my_key, mix hoplon.status and mix hoplon.trusted_keys

All of those mix tasks come with documentation:

mix help hoplon.trusted_keys
You can’t perform that action at this time.