README.md

# ![Hoplon](assets/hoplon_text_200.png)

Hoplon is a package that helps you verify that the code in your project's dependencies
contains exactly what's on their GitHub and no other malicious code.

Check out [nietaki/suffixer](https://github.com/nietaki/suffixer) to see how it works in practice.

**NOTE**: Hoplon is still in early stage of development and might not be stable enough for your needs.

[![travis badge](https://travis-ci.org/nietaki/hoplon.svg?branch=master)](https://travis-ci.org/nietaki/hoplon)
[![Hex.pm](https://img.shields.io/hexpm/v/hoplon.svg)](https://hex.pm/packages/hoplon)
[![docs](https://img.shields.io/badge/docs-hexdocs-yellow.svg)](https://hexdocs.pm/hoplon/)
<!--[![Coverage Status](https://coveralls.io/repos/github/nietaki/hoplon/badge.svg?branch=master)](https://coveralls.io/github/nietaki/hoplon?branch=master)-->

## Usage

To use Hoplon, add it as a dependency in your project.

Once it's in your deps, you can run `$ mix hoplon.check` to see if any of
the dependencies pulled into your project contain code that differs from
the code on their GitHub.

To see the diff for a specific package, run `$ mix hoplon.diff <package name>`.

Both of these mix tasks will exit with a non-zero code if any problems are
found - the dependencies differ from their github repository, the github
repository itself could not be found or the right commit could not be
identified by Hoplon.

## Installation

The package can be installed by adding `hoplon` to your list of
dependencies in `mix.exs`:

```elixir
def deps do
  [
    {:hoplon, ">= 0.3.0", app: false, runtime: false, optional: true}
  ]
end
```

In order for Hoplon to work correctly, you'll need `git` and `diff` programs in
your `PATH`.

## FAQ

### How do I know Hoplon is not malicious itself?

TODO (deps options and maybe other ways)

### How does it work?

TODO (conventions, heuristics, `git` and `diff`)