Typo-squatting

A big issue that you might want to verify is that an application is using a dependency which is not vulnerable per say but is a know dependency which has been miss typed to get developers using it. These dependencies might contain crypto miners all the way to code exfiltrating malware.

Enabling built in list

Enabling this check only requires importing the built in list of known dependencies:

name: Typo-squatting Policy

# ...
dependencies:
  conditions:
    imports:
      # Import text list of Typo-squatting dependencies.
      names: ghascompliance/defaults/typosquatting.txt