{"id":35234110,"url":"https://github.com/cashapp/protosync","last_synced_at":"2026-04-07T04:31:37.939Z","repository":{"id":43874525,"uuid":"387932758","full_name":"cashapp/protosync","owner":"cashapp","description":"ProtoSync synchronises remote .proto files to a local directory","archived":false,"fork":false,"pushed_at":"2023-03-04T21:37:47.000Z","size":40,"stargazers_count":15,"open_issues_count":1,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-16T03:35:07.938Z","etag":null,"topics":["grpc","protobuf","protocol-buffers"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cashapp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-07-20T22:58:33.000Z","updated_at":"2024-05-09T23:40:42.000Z","dependencies_parsed_at":"2024-06-19T05:31:39.652Z","dependency_job_id":"70086b5e-1ca1-4b57-a4db-8558d333dfe2","html_url":"https://github.com/cashapp/protosync","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/cashapp/protosync","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cashapp%2Fprotosync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cashapp%2Fprotosync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cashapp%2Fprotosync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cashapp%2Fprotosync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cashapp","download_url":"https://codeload.github.com/cashapp/protosync/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cashapp%2Fprotosync/sbom","scorecard":{"id":267291,"data":{"date":"2025-08-11","repo":{"name":"github.com/cashapp/protosync","commit":"ff6f70f52bc8ea239ec2dbf8ba605bad0e14a14c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":1,"reason":"Found 4/21 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: parameter expansion requires a literal: bin/activate-hermit:0","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/cashapp/protosync/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/cashapp/protosync/release.yml/master?enable=pin","Warn: downloadThenRun not pinned by hash: bin/hermit:23","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.5.4 not signed: https://api.github.com/repos/cashapp/protosync/releases/94497052","Warn: release artifact v0.5.3 not signed: https://api.github.com/repos/cashapp/protosync/releases/94488618","Warn: release artifact v0.5.2 not signed: https://api.github.com/repos/cashapp/protosync/releases/68118183","Warn: release artifact v0.5.1 not signed: https://api.github.com/repos/cashapp/protosync/releases/68117766","Warn: release artifact v0.5.0 not signed: https://api.github.com/repos/cashapp/protosync/releases/64336181","Warn: release artifact v0.5.4 does not have provenance: https://api.github.com/repos/cashapp/protosync/releases/94497052","Warn: release artifact v0.5.3 does not have provenance: https://api.github.com/repos/cashapp/protosync/releases/94488618","Warn: release artifact v0.5.2 does not have provenance: https://api.github.com/repos/cashapp/protosync/releases/68118183","Warn: release artifact v0.5.1 does not have provenance: https://api.github.com/repos/cashapp/protosync/releases/68117766","Warn: release artifact v0.5.0 does not have provenance: https://api.github.com/repos/cashapp/protosync/releases/64336181"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-3f2q-6294-fmq5","Warn: Project is vulnerable to: GO-2022-0603 / GHSA-hp87-p4gw-j4gq"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 7 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T12:25:00.752Z","repository_id":43874525,"created_at":"2025-08-17T12:25:00.752Z","updated_at":"2025-08-17T12:25:00.752Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31500397,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["grpc","protobuf","protocol-buffers"],"created_at":"2025-12-30T03:27:15.180Z","updated_at":"2026-04-07T04:31:37.934Z","avatar_url":"https://github.com/cashapp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ProtoSync synchronises remote .proto files to a local directory\n\nThis tool syncs the transitive import closure of a set of .proto files to a local\ndirectory. A configuration file tells protosync where to retrieve .proto files from. It\nthen retrieves and/or parses the .proto files specified on the command-line, recursively\nretrieving all imports.\n\n## What problem does this solve?\n\nUnlike most modern languages, Protobufs do not have a packaging system. The typical\nsolution to using third party Protobufs then becomes copying those .proto files into \nyour source. This tool automates that process by recursively parsing and resolving \nimports from third party, or your own, `.proto` files.\n\n## Contributing\n\nCode is always welcome, but so too are extra `repo` entries in the builtin config. The\nmore repo entries are built in, the more .proto files can be resolved by default!\n\n## Example\n\nFor example, if we create the following in `protos/service.proto`:\n\n```protobuf\nsyntax = \"proto3\";\n\npackage service;\n\nimport \"google/api/annotations.proto\";\nimport \"google/rpc/status.proto\"; // Imported for API doc references.\nimport \"protoc-gen-swagger/options/annotations.proto\";\n```\n\nThe following will recursively retrieve all remote imports referenced in the\nlocal proto root `./protos` as well as `google/api/http.proto`, and place them in\n`./third_party/protos`.\n\n    $ protosync -I./protos --dest=./third_party/protos google/api/http.proto\n    info: https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/http.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/google/api/http.proto\n    info: https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/google/api/annotations.proto\n    info: https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/descriptor.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/google/protobuf/descriptor.proto\n    info: https://raw.githubusercontent.com/googleapis/googleapis/master/google/rpc/status.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/google/rpc/status.proto\n    info: https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/any.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/google/protobuf/any.proto\n    info: https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.15.2/protoc-gen-swagger/options/annotations.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/protoc-gen-swagger/options/annotations.proto\n    info: https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.15.2/protoc-gen-swagger/options/openapiv2.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/protoc-gen-swagger/options/openapiv2.proto\n    info: https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/struct.proto -\u003e /Users/alec/Projects/protosync/third_party/protos/google/protobuf/struct.proto\n\n## Usage\n\nFor simple use cases `protosync` can be used standalone, but for more complex situations \nit also supports a HCL configuration file. Run `protosync --help` to see the schema \nfor the configuration file as well as command-line usage.\n\n## Customising\n\nThe `protosync` command-line tool is a thin wrapper around an extensible API. Look \nat the `resolver` package to see example implementations of how to extend `protosync`.\n\n## Does this use git clone?\n\nAs the above example illustrates, `protosync` first attempts to directly\nretrieve protos via HTTP. This is primarily an optimisation for large\nrepos. If the download fails, `git clone` is attempted - a useful\nworkaround for private repositories.\n\n## Development\n\nProtosync uses [hermit](https://cashapp.github.io/hermit/) for uniform\ntooling. Just clone this repo, activate hermit and you are ready to\nbuild, test and lint:\n\n    . ./bin/activate-hermit\n    go build ./cmd/protosync\n    go test ./...\n    golangci-lint run\n\n## License\n\nCopyright 2021 Square, Inc.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcashapp%2Fprotosync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcashapp%2Fprotosync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcashapp%2Fprotosync/lists"}