Interesting tool, will definitely try - just curious, is there a tool (hexora checker) that ensures that hexora itself and its dependencies are not compromised ?
And of course if there is one, I'll need another one for the hexora checker....
replyThere is no such tool, but you can use other static analyzers. Datadog also has one, but it's not AST-based.
replyAnd easily bypassed by an attacker who knows about your static analysis tool who can iterate on their exploit until it no longer gets flagged.
replythe main things are:
reply1. pin dependencies with sha signatures 2. mirror your dependencies 3. only update when truly necessary 4. at first, run everything in a sandbox.