1homsi

1homsi / gorisk

Public

Supply-chain risk intelligence that maps what your dependencies can do

github.com1homsigorisk cli cve dependency-analysis github-action go
15
0
100% credibility
Found Feb 18, 2026 at 13 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

gorisk analyzes dependencies in software projects to detect risky capabilities like file access or network connections, health scores, known issues, and upgrade dangers.

How It Works

1
📖 Discover gorisk

You learn about gorisk from a developer friend or online, a smart checker that reveals hidden powers in your project's building blocks, like accessing files or connecting to the internet.

2
🛠️ Get gorisk ready

You add gorisk to your computer in moments, so it's always there when you need to check your work.

3
🔍 Scan your project

You tell gorisk to look at your project folder, and it quickly explores every piece to spot risky abilities.

4
📊 See the results

Colorful tables appear showing safe, medium, or high risks for each part, with details on what they can do.

5
⚠️ Check updates safely

Before changing a building block to a newer version, gorisk compares and warns if it gains dangerous new powers.

6
🔄 Use in team reviews

You add gorisk to your team's project checks, so everyone sees risks before merging changes.

🛡️ Build securely

Your projects are now safer, with clear insights into risks, helping you choose trustworthy pieces and avoid surprises.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 13 to 15 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is gorisk?

Gorisk is a Go-based CLI tool that scans Go and Node.js projects across monorepos for dependency risks beyond just CVEs: it flags risky capabilities like file writes, network calls, or code execution in your deps. Run `gorisk scan` to get capability reports, health scores, and vuln lists, or use `gorisk diff` for upgrade diffs and `gorisk pr` for CI gates via GitHub Actions with SARIF output. It's offline-first, polyglot like aider polyglot github tools, and exports SBOMs for polyglot github files.

Why is it gaining traction?

Unlike govulncheck or Snyk, gorisk maps what deps *can do*—exec shells? Eval code?—with blast radius sims and reachability from your main package, plus license risks and upgrade diffs spotting API breaks or cap escalations. Polyglot support merges Go mods and npm locks seamlessly, and policy files let you gate high-risk deps in CI. Devs dig the free, no-SaaS model with vim polyglot github vibes for quick scans.

Who should use this?

Go backend teams auditing supply chain threats before prod, Node fullstackers in monorepos chasing polyglot database github setups, or security engineers enforcing policies on PRs. Ideal for graalvm polyglot github experiments or anyone tired of blind upgrades introducing goriska brda.

Verdict

Try it for polyglot projects across Go/Node—solid docs and tests make setup easy despite 13 stars and 1.0% credibility signaling early maturity. Production-ready for CI, but watch for roadmap langs like Python before betting the farm.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.