{"id":36593749,"url":"https://github.com/elementsinteractive/sheriff","last_synced_at":"2026-01-12T08:24:39.497Z","repository":{"id":269401091,"uuid":"892114205","full_name":"elementsinteractive/sheriff","owner":"elementsinteractive","description":"Sheriff is a tool to scan repositories and generate security reports.","archived":false,"fork":false,"pushed_at":"2025-09-17T12:22:17.000Z","size":92138,"stargazers_count":6,"open_issues_count":10,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-09-17T13:31:34.637Z","etag":null,"topics":["dependency-scanning","security","security-audit","security-tools","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://www.elements.nl","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elementsinteractive.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-11-21T14:33:57.000Z","updated_at":"2025-09-17T12:22:21.000Z","dependencies_parsed_at":"2024-12-23T10:24:32.313Z","dependency_job_id":"2feb5d5d-dc76-4cbb-b014-5be9a61510d1","html_url":"https://github.com/elementsinteractive/sheriff","commit_stats":null,"previous_names":["elementsinteractive/sheriff"],"tags_count":46,"template":false,"template_full_name":null,"purl":"pkg:github/elementsinteractive/sheriff","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elementsinteractive%2Fsheriff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elementsinteractive%2Fsheriff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elementsinteractive%2Fsheriff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elementsinteractive%2Fsheriff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elementsinteractive","download_url":"https://codeload.github.com/elementsinteractive/sheriff/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elementsinteractive%2Fsheriff/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28337591,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T06:09:07.588Z","status":"ssl_error","status_checked_at":"2026-01-12T06:05:18.301Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency-scanning","security","security-audit","security-tools","vulnerability-scanner"],"created_at":"2026-01-12T08:24:35.482Z","updated_at":"2026-01-12T08:24:39.489Z","avatar_url":"https://github.com/elementsinteractive.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"sheriff-logo\" width=\"150\" src=\"./assets/sheriff.png\"\u003e\n\u003c/p\u003e\n\n\n# Sheriff\n\nSheriff is a tool to scan repositories and generate security reports.\n\n- [Quick Usage](#quick-usage)\n- [How it works](#how-it-works)\n  - [Issue in the affected repository](#issue-in-the-affected-repository)\n  - [Report message](#report-message)\n  - [Specific repository message](#specific-repository-message)\n- [Installation](#installation)\n  - [Docker](#docker)\n  - [Manual installation](#manual-installation)\n- [Configuration](#configuration)\n  - [CLI flags](#cli-flags)\n  - [Environment variables](#environment-variables)\n  - [Configuration file](#configuration-file)\n  - [Configuration options](#configuration-options)\n    - [Miscellaneous](#miscellaneous)\n      - [config](#config)\n      - [verbose](#verbose)\n    - [Scanning](#scanning)\n      - [targets](#targets)\n      - [ignored](#ignored)\n    - [Reporting](#reporting)\n      - [report to issue](#report-to-issue)\n      - [report to email (TODO #12)](#report-to-email-todo-12)\n      - [report to slack channels](#report-to-slack-channels)\n      - [enable project report to](#enable-project-report-to)\n      - [silent](#silent)\n    - [Tokens](#tokens)\n      - [gitlab token](#gitlab-token)\n      - [slack token](#slack-token)\n- [Supported platforms](#supported-platforms)\n  - [Source code hosting services](#source-code-hosting-services)\n  - [Messaging services](#messaging-services)\n  - [Scanners](#scanners)\n- [Usage in CI](#usage-in-ci)\n  - [In Gitlab](#in-gitlab)\n- [Contributors ✨](#contributors-)\n\n## Quick Usage\n\n```sh\nsheriff patrol --target gitlab://your-namespace-or-group --report-to-issue\n```\n\n## How it works\n\nSheriff analyzes repositories in source code repository hosting services (such as GitLab) looking for vulnerabilities\nin the dependencies of the scanned repositories. Sheriff uses one or several third-party scanners to detect these vulnerabilities, and aggregates them into its reports. See a list of supported platforms and scanners in the [section below](#supported-platforms).\n\nSheriff is best used for analyzing vulnerabilities in bulk, regularly scanning groups of repositories to provide an overview of which vulnerabilities affect them. For that, Sheriff provides different types of reports, and it can publish them to different platforms such as GitLab (see [supported platforms section](#supported-platforms)).\n\n### Issue in the affected repository\n\nSheriff will keep an open issue in each one of the analyzed repositories, providing a detailed report of which vulnerabilities have been found by its scanners.\n\n\u003cimg width=\"600\" alt='issue-report' src='./assets/issue-report.png'\u003e\n\n### Report message\n\nSheriff will post a message to a messaging service with an overview of the analyzed repositories and the vulerabilities detected. This message is intended to provide a generic overview to those in charge of security to oversee the state of a given group of repositories.\n\n\u003cimg width='400' alt='msg-report' src='assets/report-msg.png'\u003e\n\n### Specific repository message\n\nProject teams can also be informed regularly by Sheriff (if they want to) by configuring a channel to which Sheriff should report its findings of a given repository. The message generated by Sheriff will be slightly different, and will contain only information relevant for the repository maintainers.\n\n\u003cimg width='400' alt='repo-report' src='assets/report-repo.png'\u003e\n\n## Installation\n\n### Docker\n\nThe easiest way to run Sheriff is through docker:\n\n```sh\ndocker pull elementsinteractive/sheriff\ndocker run elementsinteractive/sheriff --help\n```\n\n### Manual installation\n\n\u003e [!NOTE]  \n\u003e If you install Sheriff manually, you will need to ensure that all the scanners used by it are available in your system\n\nYou can install Sheriff yourself by installing its dependencies, and then either downloading the binary from the [GitHub Releases page](https://github.com/elementsinteractive/sheriff/releases) or building Sheriff from source.\n\n```sh\nbrew install osv-scanner\ngit clone git@github.com:elementsinteractive/sheriff.git\ncd sheriff\ngo install .\n```\n\n## Configuration\n\nSheriff can be configured in a few different ways:\n\n### CLI flags\n\nThe most complete way is through CLI flags. See `sheriff patrol --help` for the full list of available options.\n\n### Environment variables\n\nFor specific sensitive configuration keys such as API tokens, Sheriff can read them from environmental variables.\nOnly the **Tokens** section of configuration parameters are supported for this (see `sheriff patrol --help` for the full list).\n\nThis is the case for `GITLAB_TOKEN` \u0026 `SLACK_TOKEN` for example.\n\n### Configuration file\n\nSheriff also supports configuration through a TOML config file.\nOnly the **Reporting** and **Scanning** sections of configuration parameters are supported for this (see `sheriff patrol --help` for the full list).\n\nIn this case you may choose to create a config file such as the following:\n\n```toml\ntargets = [\"namespace/group\", \"namespace/group/cool-repo\"]\n[report.to]\nslack-channel = \"sheriff-report-test\"\nissue = true\n```\n\nAnd if you wish to specify a different file, you can do so with `sheriff patrol --config your-config-file.toml`.\n\n\u003e [!NOTE]\n\u003e When using several types of configurations at once there is an order of preference: **cli flags** \u003e **env vars** \u003e **config file**\n\n### Configuration options\n\n#### Miscellaneous\n\n##### config\n\n| CLI options | File config |\n|---|---|\n| `--config` | - |\n\nSets the path of your sheriff configuration file\n\n##### verbose\n\n| CLI options | File config |\n|---|---|\n| `--verbose`/`-v` | - |\n\nSets the log level to verbose\n\n#### Scanning\n\n##### targets\n\n| CLI options | File config |\n|---|---|\n| (repeatable) `--target` | `targets` |\n\nSets the list of groups and projects to be scanned.\nThe expected format of a target is `platform://path/to/your/group-or-project`\n\nFor example:\n`--target gitlab://namespace/group --target github://organization/project`\n\n##### ignored\n\n| CLI options | File config |\n|---|---|\n| (repeatable) `--ignore` | `ignored` |\n\nSets the list of groups and projects to be ignored from scanning.\nUseful when you have a `target` which is a group, but you want to ignore a specific project from that group.\nThe expected format of a target is `platform://path/to/your/group-or-project`\n\nFor example:\n`--ignore gitlab://namespace/group --ignore github://organization/project`\n\n#### Reporting\n\n##### report to issue\n\n| CLI options | File config |\n|---|---|\n| `--report-to-issue` | \u003ccode\u003e[report.to]\u003cbr\u003eissue\u003c/code\u003e |\n\nEnables reporting to an issue on the project's platform\n\n##### report to email (TODO #12)\n\n| CLI options | File config |\n|---|---|\n| (repeatable) `--report-to-email` | \u003ccode\u003e[report.to]\u003cbr\u003eemails\u003c/code\u003e |\n\nSets the list of email to which a full scan report should be sent\n\n##### report to slack channels\n\n| CLI options | File config |\n|---|---|\n| (repeatable) `--report-to-slack-channels` | \u003ccode\u003e[report.to]\u003cbr\u003eslack-channels\u003c/code\u003e |\n\n##### enable project report to\n\n| CLI options | File config |\n|---|---|\n| `--report-to-enable-project-report-to` | \u003ccode\u003e[report.to]\u003cbr\u003eenable-project-report-to\u003c/code\u003e |\n\nEnable project-level configuration `report-to` to allow projects to control where their individual reports are sent\n\n##### silent\n\n| CLI options | File config |\n|---|---|\n| `--report-silent` | \u003ccode\u003e[report]\u003cbr\u003esilent\u003c/code\u003e |\n\nDisable printing the report in the bash output\n\n#### Tokens\n\n##### gitlab token\n\n| ENV VAR |\n|---|\n| `$GITLAB_TOKEN` |\n\nSets the token to be used when fetching projects from gitlab\n\n##### slack token\n\n| ENV VAR |\n|---|\n| `$SLACK_TOKEN` |\n\nSets the token to be used when reporting the security report on slack\n\n## Supported platforms\n\n### Source code hosting services\n\n- [x] [GitLab](https://gitlab.com)\n- [ ] [GitHub](https://github.com) ([#9](https://github.com/elementsinteractive/sheriff/issues/9))\n\n### Messaging services\n\n- [x] [Slack](http://slack.com)\n- [ ] Email ([#12](https://github.com/elementsinteractive/sheriff/issues/12))\n\n### Scanners\n\n- [x] [OSV-Scanner](https://github.com/google/osv-scanner)\n- [ ] [Trivy](https://github.com/aquasecurity/trivy)\n\n## Usage in CI\n\nSheriff was designed so it could be run as part of a CI pipeline.\n\n### In Gitlab\n\nTo run sheriff on Gitlab, we suggest the following set-up:\n1. Create a repostory which will contain your CI runner, you can call it `sheriff-runner` for example\n2. Create a CI file in this repository which extends from our template\n    ```yaml\n    include:\n      - remote: 'https://raw.githubusercontent.com/elementsinteractive/sheriff/refs/tags/v0.26.2/gitlab/templates/sheriff.gitlab-ci.yml'\n\n    sheriff:\n      extends: .sheriff\n    ```\n3. Go to **Build** -\u003e **Pipeline schedules** -\u003e **New schedule**\n   a. Add a name \u0026 a preferred cron interval. We prefer a weekly scan such as `0 7 * * 1` (every Monday at 7am)\n   b. Add a **Variable** Variable named `SHERIFF_CLI_ARGS` which extra CLI arguments you wish to add (see CLI configuration section)\n   c. Add a **File** Variable named `SHERIFF_CONFIG` containing your sheriff configuration (see file configuration section)\n4. Go to **Settings** -\u003e **CI/CD** -\u003e **Variables**\n   a. If scanning gitlab projects, add your gitlab token in **GITLAB_TOKEN** with *Protected*, *Masked*, *Hidden*\n   b. If publishing reports to slack, add your slack token in **SLACK_TOKEN** with *Protected*, *Masked*\n5. Test your pipeline by going to **Build** -\u003e **Pipeline schedules** \u0026 clicking the play button on your pipline\n5. Enjoy! Your pipeline should now run \u0026 scan your projects on a weekly basis 😀\n\nWe have a gitlab template set up for convenience, which runs sheriff with a set of configurable options.\n\n## Contributors ✨\n\nThanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section --\u003e\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003ctable\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/sacha-c\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/3247529?v=4?s=50\" width=\"50px;\" alt=\"Sacha Brouté\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eSacha Brouté\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/elementsinteractive/sheriff/commits?author=sacha-c\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"#design-sacha-c\" title=\"Design\"\u003e🎨\u003c/a\u003e \u003ca href=\"#ideas-sacha-c\" title=\"Ideas, Planning, \u0026 Feedback\"\u003e🤔\u003c/a\u003e \u003ca href=\"#maintenance-sacha-c\" title=\"Maintenance\"\u003e🚧\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/scastlara\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/7606872?v=4?s=50\" width=\"50px;\" alt=\"Sergio Castillo\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eSergio Castillo\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"https://github.com/elementsinteractive/sheriff/commits?author=scastlara\" title=\"Code\"\u003e💻\u003c/a\u003e \u003ca href=\"#ideas-scastlara\" title=\"Ideas, Planning, \u0026 Feedback\"\u003e🤔\u003c/a\u003e \u003ca href=\"#maintenance-scastlara\" title=\"Maintenance\"\u003e🚧\u003c/a\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" valign=\"top\" width=\"14.28%\"\u003e\u003ca href=\"https://github.com/jbozanowski\"\u003e\u003cimg src=\"https://avatars.githubusercontent.com/u/114900?v=4?s=50\" width=\"50px;\" alt=\"Jakub Bożanowski\"/\u003e\u003cbr /\u003e\u003csub\u003e\u003cb\u003eJakub Bożanowski\u003c/b\u003e\u003c/sub\u003e\u003c/a\u003e\u003cbr /\u003e\u003ca href=\"#ideas-jbozanowski\" title=\"Ideas, Planning, \u0026 Feedback\"\u003e🤔\u003c/a\u003e \u003ca href=\"#design-jbozanowski\" title=\"Design\"\u003e🎨\u003c/a\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003c!-- markdownlint-restore --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n\n\u003c!-- ALL-CONTRIBUTORS-LIST:END --\u003e\n\nThis project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felementsinteractive%2Fsheriff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felementsinteractive%2Fsheriff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felementsinteractive%2Fsheriff/lists"}