[![travis badge](](
[![Built with Spacemacs](](
<!--[![Coverage Status](](>

# Hoplon

Hoplon is a package that helps you verify that the code in your project's dependencies
contains exactly what's on their GitHub and no other malicious code.

**NOTE**: Hoplon is still in early stage of development and might be missing some features.

## Usage

To use Hoplon, add it as a dependency in your project.

Once it's in your deps, you can run `$ mix hoplon.check` to see if any of
the dependencies pulled into your project contain code that differs from
the code on their GitHub.

To see the diff for a specific package, run `$ mix hoplon.diff <package name>`.

Both of these mix tasks will exit with a non-zero code if any problems are
found - the dependencies differ from their github repository, the github
repository itself could not be found or the right commit could not be
identified by Hoplon.

## Installation

The package can be installed by adding `hoplon` to your list of
dependencies in `mix.exs`:

def deps do
    {:hoplon, ">= 0.1.0", app: false, runtime: false, optional: true}

In order for Hoplon to work correctly, you'll need `git` and `diff` programs in
your `PATH`.

## FAQ

### How do I know Hoplon is not malicious itself?

TODO (deps options and maybe other ways)

### How does it work?

TODO (conventions, heuristics, `git` and `diff`)