forsikt

command module
v0.0.0-...-5ef9fcc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 2, 2024 License: BSD-3-Clause Imports: 7 Imported by: 0

README

försikt

försikt is a proof-of-concept Go tool inspired by Rust's Cargo vet that allows you to store and manage information about manual vetting of dependencies for your Go modules.

Usage

försikt is not yet useful.

TODO
  • CLI that can manipulate the trust file and fetch diffs for reviewing.
  • Version ranges implies "trust of the changeset between these two versions", not that everything between two versions is trusted. A [v1.0.0 v1.2.0] rule will need another rule for v1.0.0 (or a chain of changeset rules until a single-version review is found) to validate.
  • Improve semantics, take a long hard look at what goes in and out.
    • Rust has several different approval levels that can be customizable. Is that needed?
    • Could we import trusted audit files for transient trust?
    • Allow slow introduction without explicit trust (again with the several approval levels?)
  • go.audit fmting.

Goal

Whether out of malice or mistakes, sometimes dependencies are exposing your users for risks. The goal of försikt is to provide tooling that makes auditing dependencies a reasonable part of the development process.

Ideally, the Go project would be open to incorporating dependency vetting as part of the Go modules ecosystem so that modules can enable mandatory dependency vetting if they wish.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
hoppsan

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.