{"id":13692093,"url":"https://github.com/andyfeller/gh-dependency-report","last_synced_at":"2025-10-07T18:41:55.475Z","repository":{"id":43513719,"uuid":"442469121","full_name":"andyfeller/gh-dependency-report","owner":"andyfeller","description":"GitHub CLI extension for generating a report on repository dependencies.","archived":false,"fork":false,"pushed_at":"2023-09-18T13:37:45.000Z","size":2734,"stargazers_count":45,"open_issues_count":5,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-11-12T18:38:41.762Z","etag":null,"topics":["dependency-graph","gh-extension","go","golang"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andyfeller.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-12-28T13:17:23.000Z","updated_at":"2024-09-22T22:22:38.000Z","dependencies_parsed_at":"2024-04-08T02:05:54.364Z","dependency_job_id":"7d0c08b0-461c-44ef-8ea6-b26cc7d3ddb9","html_url":"https://github.com/andyfeller/gh-dependency-report","commit_stats":{"total_commits":27,"total_committers":2,"mean_commits":13.5,"dds":0.03703703703703709,"last_synced_commit":"b99525094140b282f3aefc811cc383605061eded"},"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andyfeller%2Fgh-dependency-report","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andyfeller%2Fgh-dependency-report/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andyfeller%2Fgh-dependency-report/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andyfeller%2Fgh-dependency-report/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andyfeller","download_url":"https://codeload.github.com/andyfeller/gh-dependency-report/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227424743,"owners_count":17775344,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency-graph","gh-extension","go","golang"],"created_at":"2024-08-02T17:00:53.594Z","updated_at":"2025-10-07T18:41:50.422Z","avatar_url":"https://github.com/andyfeller.png","language":"Go","funding_links":[],"categories":["Go","Dependency Export","🧩 Categories","golang"],"sub_categories":["Repository Management"],"readme":"# gh-dependency-report\n\nA `gh` extension to generate report of repository manifests and dependencies discovered through GitHub's [software supply chain](https://docs.github.com/en/code-security/supply-chain-security) capabilities.\n\n![Demo of gh-dependency-report extension](https://user-images.githubusercontent.com/2089743/154634826-716abba3-f139-4b7a-a106-01c0ab5b68c4.gif)\n\n## Quickstart\n\n1. `gh extension install andyfeller/gh-dependency-report`\n1. `gh dependency-report $(whoami)`\n1. Profit! :moneybag: :money_with_wings: :money_mouth_face: :money_with_wings: :moneybag:\n\n## Usage\n\nPulling [manifests](https://docs.github.com/en/graphql/reference/objects#dependencygraphmanifest) and [dependencies](https://docs.github.com/en/graphql/reference/objects#dependencygraphdependency) including [license info](https://docs.github.com/en/graphql/reference/objects#license) around [repositories](https://docs.github.com/en/graphql/reference/objects#repository) from [GitHub's GraphQL API](https://docs.github.com/en/graphql/reference/).  This is only works for repositories that have [enabled the dependency graph feature](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph).\n\nThe result is a CSV that companies and individuals can use to attest to software licenses in use, making the jobs of platform engineering, legal, security, and auditors easier.\n\n```shell\n $ gh dependency-report --help\n\nGenerate report of repository manifests and dependencies discovered through the dependency graph\n\nUsage:\n  gh-dependency-report [flags] owner [repo ...]\n\nFlags:\n  -d, --debug                Whether to debug logging\n  -e, --exclude strings      Repositories to exclude from report\n  -h, --help                 help for gh-dependency-report\n  -o, --output-file string   Name of file to write CSV report (default \"report-20220216081518.csv\")\n```\n\nThe resulting CSV file contains the most common information used for these purposes:\n\n\u003cdl\u003e\n  \u003cdt\u003e\u003ccode\u003eOwner\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eLogin name of the organization or user that owns the repository\u003c/dd\u003e\n  \u003cdd\u003e\n    Examples:\n    \u003cul\u003e\n      \u003cli\u003e\u003ccode\u003eandyfeller\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003egithub\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003ecli\u003c/code\u003e\u003c/li\u003e\n    \u003c/ul\u003e\n  \u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eRepo\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eName of the repository containing the manifest; does not duplicate owner information\u003c/dd\u003e\n  \u003cdd\u003e\n    Examples:\n    \u003cul\u003e\n      \u003cli\u003e\u003ccode\u003egh-dependency-report\u003c/code\u003e \u003cem\u003e(for \u003ccode\u003eandyfeller/gh-dependency-report\u003c/code\u003e)\u003c/em\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003ecodeql\u003c/code\u003e \u003cem\u003e(for \u003ccode\u003egithub/codeql\u003c/code\u003e)\u003c/em\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003ecli\u003c/code\u003e \u003cem\u003e(for \u003ccode\u003ecli/cli\u003c/code\u003e)\u003c/em\u003e\u003c/li\u003e\n    \u003c/ul\u003e\n  \u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eManifest\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eFully qualified manifest filename\u003c/dd\u003e\n  \u003cdd\u003e\n    Examples:\n      \u003cli\u003e\u003ccode\u003ego.mod\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003e.github/workflows/release.yml\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003epackage.json\u003c/code\u003e\u003c/li\u003e\n  \u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eExceeds Max Size\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eIs the manifest too big to parse?\u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eParseable\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eWere we able to parse the manifest?\u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003ePackage Manager\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eThe dependency package manager.\u003c/dd\u003e\n  \u003cdd\u003e\n    Examples:\n      \u003cli\u003e\u003ccode\u003eACTIONS\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003eCOMPOSER\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003eGO\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003eMAVEN\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003eNPM\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003eNUGET\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003ePIP\u003c/code\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003eRUBYGEMS\u003c/code\u003e\u003c/li\u003e\n  \u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eDependency\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003e\n    The name of the package in the canonical form used by the package manager.  This may differ from the original textual form (see packageLabel), for example in a package manager that uses case-insensitive comparisons.\n  \u003c/dd\u003e\n  \u003cdd\u003e\n    Examples:\n      \u003cli\u003e\u003ccode\u003eactions/checkout\u003c/code\u003e \u003cem\u003e(actions)\u003c/em\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003egithub.com/spf13/cobra\u003c/code\u003e \u003cem\u003e(go)\u003c/em\u003e\u003c/li\u003e\n      \u003cli\u003e\u003ccode\u003e@actions/core\u003c/code\u003e \u003cem\u003e(npm)\u003c/em\u003e\u003c/li\u003e\n  \u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eHas Dependencies?\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eDoes the dependency itself have dependencies?\u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eRequirements\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eThe dependency version requirements.\u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eLicense\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eShort identifier specified by \u003ca href=\"https://spdx.org/licenses\"\u003ehttps://spdx.org/licenses\u003c/a\u003e.\u003c/dd\u003e\n\n  \u003cdt\u003e\u003ccode\u003eLicense Url\u003c/code\u003e\u003c/dt\u003e\n  \u003cdd\u003eURL to the license on \u003ca href=\"https://choosealicense.com\"\u003ehttps://choosealicense.com\u003c/a\u003e.\u003c/dd\u003e\n\u003c/dl\u003e\n\n### Example Report\n\nThe following is an example of a report generated around my own personal repositories:\n\n\u003cdetails\u003e\n  \u003csummary\u003eExample report on \u003ccode\u003eandyfeller\u003c/code\u003e\u003c/summary\u003e\n\n  ```\n  Owner,Repo,Manifest,Exceeds Max Size,Parseable,Package Manager,Dependency,Has Dependencies?,Requirements,License,License Url\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/go-gh,true,= 0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/safeexec,false,= 1.0.0,,\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/shurcooL-graphql,true,= 0.0.1,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/henvic/httpretty,false,= 0.0.6,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/inconshreveable/mousetrap,false,= 1.0.0,,\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/cobra,true,= 1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/pflag,false,= 1.0.5,,\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/atomic,true,= 1.9.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/multierr,true,= 1.7.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/zap,true,= 1.20.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,golang.org/x/net,false,= 0.0.0-20211112202133-69e39bad7dc2,,\n  andyfeller,gh-dependency-report,go.mod,false,true,GO,gopkg.in/yaml.v3,true,= 3.0.0-20210107192922-496545a6307b,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/benbjohnson/clock,false,= v1.1.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/go-gh,true,= v0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/safeexec,false,= v1.0.0,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/shurcooL-graphql,true,= v0.0.1,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/davecgh/go-spew,false,= v1.1.1,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/henvic/httpretty,false,= v0.0.6,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/inconshreveable/mousetrap,false,= v1.0.0,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/pretty,true,= v0.2.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/text,true,= v0.1.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/MakeNowJust/heredoc,false,= v1.0.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pkg/errors,false,= v0.8.1,BSD-2-Clause,http://choosealicense.com/licenses/bsd-2-clause/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pmezard/go-difflib,false,= v1.0.0,NOASSERTION,http://choosealicense.com/licenses/other/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/cobra,true,= v1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/pflag,false,= v1.0.5,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/stretchr/testify,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/atomic,true,= v1.9.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/goleak,true,= v1.1.11,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/multierr,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/zap,true,= v1.20.0,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,golang.org/x/net,false,= v0.0.0-20211112202133-69e39bad7dc2,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/check.v1,true,= v1.0.0-20190902080502-41f04d3bba15,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v2,true,= v2.4.0,,\n  andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v3,true,= v3.0.0-20210107192922-496545a6307b,,\n  andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/\n  andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/\n  ```\n\u003c/details\u003e\n\n\n## Setup\n\nLike any other `gh` CLI extension, `gh-dependency-report` is trivial to install or upgrade and works on most operating systems:\n\n- **Installation**\n\n  ```shell\n  gh extension install andyfeller/gh-dependency-report\n  ```\n  \n  _For more information: [`gh extension install`](https://cli.github.com/manual/gh_extension_install)_\n\n- **Upgrade**\n\n  ```shell\n  gh extension upgrade gh-dependency-report\n  ```\n\n  _For more information: [`gh extension upgrade`](https://cli.github.com/manual/gh_extension_upgrade)_\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandyfeller%2Fgh-dependency-report","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandyfeller%2Fgh-dependency-report","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandyfeller%2Fgh-dependency-report/lists"}