Scan your Elixir project's dependencies for known vulnerabilities
source link: https://github.com/mirego/mix_audit
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
MixAudit
provides a mix deps.audit
task to scan Mix dependencies for security vulnerabilities.
It draw its inspiration from tools like
npm audit
and
bundler-audit
.
Installation
Project dependency
Add mix_audit
to the deps
function in your project’s mix.exs
file:
defp deps do [ {:mix_audit, "~> 0.1", only: [:dev, :test], runtime: false} ] end
Then run mix do deps.get, deps.compile
inside your project’s directory.
Local escript
If you do not wish to include mix_audit
in your project dependencies, you can install it as global escript
:
$ mix escript.install hex mix_audit … * creating …/.mix/escripts/mix_audit
The only difference is that instead of using the mix deps.audit
task, you will have to use the created executable.
Usage
To generate a security report, you can use the deps.audit
Mix task:
$ mix deps.audit
Options
Option Type Default Description--path
String
Current directory
The root path of the project to audit
--format
String
"human"
The format of the report to generate ( "json"
or "human"
)
--ignore-advisory-ids
String
""
Comma-separated list of advisory IDs to ignore
--ignore-package-names
String
""
Comma-separated list of package names to ignore
Example
How does it work?
MixAudit builds two lists when it’s executed in a project:
-
A list of security advisories fetched from the community-maintained
elixir-security-advisories
repository -
A list of Mix dependencies from the various
mix.lock
files in the project
Then, it loops through each project dependency and tries to find security advisories that apply to it (through its package name) and that match its version specification (through the advisory patched and unaffected version policies).
If one is found, a vulnerability (the combination of a security advisory and a project dependency ) is then added to the report.
The task will exit with a 0
status only if the report passes
(ie. it reports no vulnerabilities). Otherwise, it will exit with a 1
status.
License
MixAudit
is © 2020 Mirego
and may be freely distributed under the New BSD license
. See the
LICENSE.md
file.
The detective hat logo is based on this lovely icon by Vectors Point , from The Noun Project. Used under a Creative Commons BY 3.0 license.
About Mirego
Mirego is a team of passionate people who believe that work is a place where you can innovate and have fun. We’re a team of talented people who imagine and build beautiful Web and mobile applications. We come together to share ideas and change the world .
We also love open-source software and we try to give back to the community as much as we can.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK