You can download precompiled binaries, containers or install directly from source.
Precompiled binaries can be found here.
docker run -ti docker pull ghcr.io/crashdump/venlock:latest
go install github.com/crashdump/venlock/cmd/venlock@latest
./venlock
┌─────────────┐
│ Vendor Lock │
└─────────────┘
NAME:
venlock - Search for package manifests and identifies untrusted libraries.
USAGE:
venlock [global options] command [command options] [arguments...]
AUTHOR:
Adrien Pujol <ap@cdfr.net>
COMMANDS:
enumerate, e enumerate all the libraries from source code.
generate, g generate a config.json from source code.
enforce, v enforce inventory libraries.
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help (default: false)
./venlock enumerate test/fixtures
┌─────────────┐
│ Vendor Lock │
└─────────────┘
Enumerating libraries from source code...
> Go...
... found 12 dependencies.
github.com/PuerkitoBio/goquery
github.com/avelino/slugify
github.com/otiai10/copy
github.com/yuin/goldmark
golang.org/x/oauth2
github.com/andybalholm/cascadia
github.com/golang/protobuf
golang.org/x/net
golang.org/x/sys
golang.org/x/text
google.golang.org/appengine
google.golang.org/protobuf
> Maven...
... found 2 dependencies.
foo:bar
junit:junit
> NPM...
... found 2 dependencies.
express
compression
./venlock enforce -c test/fixtures/config.json test/fixtures
enforce -c test/fixtures/config.json test/fixtures
┌─────────────┐
│ Vendor Lock │
└─────────────┘
Searching for foreign libraries in source code...
> Go...
... found foreign libraries:
- github.com/PuerkitoBio/goquery
- github.com/yuin/goldmark
- golang.org/x/oauth2
- github.com/andybalholm/cascadia
- github.com/golang/protobuf
- golang.org/x/net
- golang.org/x/sys
- golang.org/x/text
- google.golang.org/appengine
- google.golang.org/protobuf
> Maven...
No mismatch.
> Npm...
No mismatch.
non-compliant: found unexpected libraries
go build ./... -o dist/venlock
go test ./...