{"id":37156928,"url":"https://github.com/isometry/choam","last_synced_at":"2026-01-14T18:38:47.928Z","repository":{"id":319515337,"uuid":"1048457157","full_name":"isometry/choam","owner":"isometry","description":null,"archived":false,"fork":false,"pushed_at":"2025-10-18T17:00:45.000Z","size":216,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-19T10:27:49.525Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/isometry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-01T13:23:55.000Z","updated_at":"2025-10-18T22:02:03.000Z","dependencies_parsed_at":"2025-10-19T10:28:11.730Z","dependency_job_id":"f8813852-4bae-4484-a346-06f9124beb71","html_url":"https://github.com/isometry/choam","commit_stats":null,"previous_names":["isometry/choam"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/isometry/choam","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fchoam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fchoam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fchoam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fchoam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/isometry","download_url":"https://codeload.github.com/isometry/choam/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/isometry%2Fchoam/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28430876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T16:38:47.836Z","status":"ssl_error","status_checked_at":"2026-01-14T16:34:59.695Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T18:38:47.227Z","updated_at":"2026-01-14T18:38:47.920Z","avatar_url":"https://github.com/isometry.png","language":"Go","readme":"# CHOAM\n\nA Go CLI tool for managing melange build specifications and securing software supply chains. CHOAM detects updates, applies changes, and scans for vulnerabilities in Go dependencies.\n\n## Features\n\n- 🔍 **Update Detection**: Multi-source monitoring (GitHub releases/tags, Git repositories, release-monitoring.org)\n- ⚡ **Automated Updates**: Apply version updates with epoch management and SHA256 verification\n- 🛡️ **Vulnerability Scanning**: OSV database integration for Go module security analysis (in-development)\n- 📊 **Multiple Output Formats**: Table and JSON output for CI/CD integration\n- 🏗️ **Comment-Preserving YAML**: Maintains formatting, comments, and structure\n- 🔧 **Processor Architecture**: Extensible pipeline stages with change tracking and rollback\n\n## Installation\n\n### Using Homebrew\n\n```bash\n# Install choam\nbrew install isometry/tap/choam\n```\n\n### From Source\n\n```bash\ngit clone https://github.com/isometry/choam\ncd choam\nmake build\n```\n\n### Using Go Install\n\n```bash\ngo install github.com/isometry/choam@latest\n```\n\n### Using Make\n\n```bash\nmake deps build\nmake install # Install to $GOPATH/bin\n```\n\n## Usage\n\n### Global Flags\n\nAll commands support these global flags:\n\n- `--verbose, -v`: Increase verbosity (-v for info, -vv for debug)\n- `--http-timeout`: Timeout for HTTP requests (default: 15s)\n\nCHOAM provides two main commands (plus experimental features):\n\n### Check for Updates\n\nDetect available updates without making changes:\n\n```bash\n# Check single file\nchoam check py3-authlib.yaml\n\n# Check directory\nchoam check ./packages/\n\n# JSON output for automation\nchoam check --format json ./packages/\n\n# Verbose output\nchoam check -vv ./packages/\n```\n\n#### Flags\n\n- `--format, -f`: Output format (table, json)\n- `--dry-run`: Show what would be checked without API calls\n- `--verbose, -v`: Increase verbosity (-v info, -vv debug)\n\n### Apply Updates\n\nUpdate package versions, epochs, and checksums:\n\n```bash\n# Update files with available updates\nchoam update ./packages/\n\n# Dry run to preview changes\nchoam update --dry-run ./packages/\n\n# Create backups\nchoam update --backup-suffix .bak ./packages/\n\n# Force update (increment epoch even without version change)\nchoam update --force package.yaml\n```\n\n#### Flags\n\n- `--format, -f`: Output format (table, json)\n- `--dry-run`: Show what would be changed without writing\n- `--backup-suffix`: Create backup files (e.g., `.bak`)\n- `--force`: Force update and increment epoch\n- `--shared`: Update shared dependencies (default: true)\n- `--verbose, -v`: Increase verbosity\n\n## Configuration\n\nCHOAM reads standard melange `update:` configurations:\n\n### GitHub Monitor\n\n```yaml\npackage:\n  name: py3-authlib\n  version: 1.5.2\n  epoch: 0\n\nupdate:\n  enabled: true\n  github:\n    identifier: lepture/authlib\n    strip-prefix: v\n    use-tag: false # Use releases (default) or tags\n```\n\nSet `GITHUB_TOKEN` environment variable for authentication and higher rate limits.\n\n### Release Monitor (release-monitoring.org)\n\n```yaml\npackage:\n  name: example-package\n  version: 1.0.0\n\nupdate:\n  enabled: true\n  release-monitor:\n    identifier: 242117\n```\n\nOptionally set `ANITYA_TOKEN` environment variable for authentication.\n\n### Git Monitor\n\n```yaml\nupdate:\n  enabled: true\n  git:\n    url: https://github.com/example/repo\n    strip-prefix: v\n```\n\n## Development\n\n### Building \u0026 Testing\n\n```bash\n# Development workflow\nmake deps              # Install dependencies\nmake build             # Build binary\nmake test              # Run all tests\nmake lint              # Lint code\n\n# Testing variants\nmake test-short        # Skip slow tests\nmake test-race         # Run with race detector\nmake test-coverage     # Generate coverage report\nmake test-package PKG=internal/scan  # Test specific package\n\n# Code quality\nmake fmt               # Format code\nmake clean             # Remove artifacts\n```\n\n### Project Structure\n\n```\ncmd/              CLI commands (check, update, gobump)\ninternal/\n  processor/      Processing pipeline architecture\n  updater/        Update detection and application\n  gobump/         Go module vulnerability scanning\n  scan/           OSV vulnerability scanner\n  github/         GitHub API client\n  git/            Git operations client\n  anitya/         Release monitoring client\n  config/         YAML configuration handling\n```\n\n## Experimental Features\n\n⚠️ **WARNING**: The following features are experimental and hidden from standard CLI help. They may change or be removed without notice. Use at your own risk in production environments.\n\n### gobump - Vulnerability Scanning (Hidden Command)\n\nThe `gobump` command scans and fixes Go module vulnerabilities using go/bump pipelines. This command is currently **hidden** (not shown in `choam --help`) and should be considered **unstable**.\n\n**Why hidden?** This feature is under active development. The API, behavior, and output format may change between releases without deprecation warnings.\n\n#### Usage\n\n```bash\n# Scan for vulnerabilities (hidden command)\nchoam gobump ./packages/\n\n# Dry run to preview fixes\nchoam gobump --dry-run ./packages/\n\n# Create backups before fixing\nchoam gobump --backup-suffix .bak ./packages/\n```\n\n#### Flags\n\n- `--format, -f`: Output format (table, json)\n- `--dry-run`: Show what would be changed without writing\n- `--backup-suffix`: Create backup files\n- `--verbose, -v`: Increase verbosity\n\n#### Example Output\n\n```\nPACKAGE              VULNS FOUND    VULNS FIXED    OLD EPOCH    NEW EPOCH    STATUS\ngo-package           2              2              5            6            FIXED\nsafe-package         0              0              3            3            NO VULNS\n\nSummary: 2 files processed, 1 with vulnerabilities, 1 fixed, 0 errors (2 vulnerabilities found, 2 fixed)\n```\n\n## Example Output\n\n### Check Command\n\n```\nPACKAGE         CURRENT    LATEST     UPDATE    SOURCE            STATUS\npy3-authlib     1.5.2      1.6.3      YES       github-releases   OK\ngo              1.21.0     1.21.5     YES       github-tags       OK\nexample         1.0.0      1.0.0      NO        anitya            OK\n```\n\n### Update Command\n\n```\nPACKAGE         CURRENT    LATEST     UPDATED    EPOCH    STATUS\npy3-authlib     1.5.2      1.6.3      YES        0→1      OK\ngo              1.21.0     1.21.5     YES        0→1      OK\n```\n\n## Environment Variables\n\n- `GITHUB_TOKEN`: GitHub personal access token for API authentication\n- `ANITYA_TOKEN`: Release monitoring API token\n- `LOG_LEVEL`: Log level override (debug, info, warn, error)\n\n## Requirements\n\n- Go 1.25.3 or later\n- Optional: `golangci-lint` for linting\n\n## Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Write tests for new functionality\n4. Run `make lint \u0026\u0026 make test` before committing\n5. Submit a pull request\n\n## Related Projects\n\n- [Melange](https://github.com/chainguard-dev/melange) - APK package builder\n- [Wolfi](https://github.com/wolfi-dev) - Container-optimized Linux distribution\n- [Chainguard](https://www.chainguard.dev/) - Supply chain security platform\n\n## License\n\nMIT License - see LICENSE file for details\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fisometry%2Fchoam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fisometry%2Fchoam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fisometry%2Fchoam/lists"}