Skip to content

Detect and block introduction of unapproved 3rd party libraries. Typically used in a CI.

License

Notifications You must be signed in to change notification settings

crashdump/venlock

Repository files navigation

Venlock (a.k.a. Vendor Lock)

License GoDoc

Install/Run

You can download precompiled binaries, containers or install directly from source.

Binaries (arm, amd64)

Precompiled binaries can be found here.

Docker (arm, amd64)

docker run -ti docker pull ghcr.io/crashdump/venlock:latest 

Source

go install github.com/crashdump/venlock/cmd/venlock@latest

Use

Subcommands

./venlock
┌─────────────┐
│ Vendor Lock │
└─────────────┘

NAME:
venlock - Search for package manifests and identifies untrusted libraries.

USAGE:
venlock [global options] command [command options] [arguments...]

AUTHOR:
Adrien Pujol <ap@cdfr.net>

COMMANDS:
enumerate, e  enumerate all the libraries from source code.
generate, g   generate a config.json from source code.
enforce, v    enforce inventory libraries.
help, h       Shows a list of commands or help for one command

GLOBAL OPTIONS:
--help  (default: false)

Enumerate

./venlock enumerate test/fixtures
┌─────────────┐
│ Vendor Lock │
└─────────────┘

Enumerating libraries from source code...

> Go...
... found 12 dependencies.

github.com/PuerkitoBio/goquery
github.com/avelino/slugify
github.com/otiai10/copy
github.com/yuin/goldmark
golang.org/x/oauth2
github.com/andybalholm/cascadia
github.com/golang/protobuf
golang.org/x/net
golang.org/x/sys
golang.org/x/text
google.golang.org/appengine
google.golang.org/protobuf

> Maven...
... found 2 dependencies.

foo:bar
junit:junit

> NPM...
... found 2 dependencies.

express
compression

Enforce

./venlock enforce -c test/fixtures/config.json test/fixtures
enforce -c test/fixtures/config.json test/fixtures
┌─────────────┐
│ Vendor Lock │
└─────────────┘

Searching for foreign libraries in source code...

> Go...
... found foreign libraries:
  - github.com/PuerkitoBio/goquery
  - github.com/yuin/goldmark
  - golang.org/x/oauth2
  - github.com/andybalholm/cascadia
  - github.com/golang/protobuf
  - golang.org/x/net
  - golang.org/x/sys
  - golang.org/x/text
  - google.golang.org/appengine
  - google.golang.org/protobuf

> Maven...

No mismatch.

> Npm...

No mismatch.

non-compliant: found unexpected libraries

Contribute

Build

go build ./... -o dist/venlock

Test

go test ./...

About

Detect and block introduction of unapproved 3rd party libraries. Typically used in a CI.

Topics

Resources

License

Stars

Watchers

Forks

Packages