🔍 A multi-ecosystem package code review system. 🔍
Open source software dependencies are commonly used without review. Running unreviewed code poses security risks. Vouch is a package code review system built to solve this problem by:
- minimizing the costs of reviewing software
- checking software dependencies against reviews.
First, lets setup Vouch. During setup we can optionally specify a git repository URL for publishing reviews.
vouch setup https://github.com/<username>/reviews
Extensions enable Vouch to create reviews for packages from different ecosystems. For example, the Python extension adds support for pypi.org packages. By default, Vouch includes extensions for Python and Javascript. Add an extension using the following command:
vouch extension add py
or via any GitHub repository URL:
vouch extension add https://github.com/vouch-dev/vouch-py
| Name | Ecosystem | Package Registries |
|---|---|---|
| vouch-py | Python | pypi.org |
| vouch-js | Javascript | npmjs.com |
| vouch-ansible | Ansible Galaxy | galaxy.ansible.com |
(Note: Vouch currently requires VSCode to create reviews.)
Vouch supports multiple ecosystems and is extendable. For now, Python and Javascript support comes built-in. Lets review the NPM Javascript package d3 at version 4.10.0:
vouch review d3 4.10.0
Subscribe to reviews created by other users using the command:
vouch peer add https://github.com/vouch-dev/example-reviews
The sync command pulls new reviews from peers and publishes user generated reviews:
vouch sync
Reviews created using Vouch can be used to evaluate software project dependencies. Vouch extensions can discover ecosystem specific dependency definition files. For example, the Python extension parses Pipfile.lock files.
The check command generates an evaluation report of local project dependencies based on available reviews:
vouch check