{"id":32136851,"url":"https://github.com/launchdarkly/ld-find-code-refs","last_synced_at":"2025-10-21T04:44:10.519Z","repository":{"id":37382004,"uuid":"156429554","full_name":"launchdarkly/ld-find-code-refs","owner":"launchdarkly","description":"Build tool for automatically sending feature flag code references to LaunchDarkly","archived":false,"fork":false,"pushed_at":"2025-10-13T13:26:36.000Z","size":23959,"stargazers_count":59,"open_issues_count":8,"forks_count":39,"subscribers_count":41,"default_branch":"main","last_synced_at":"2025-10-21T04:43:56.118Z","etag":null,"topics":["cli","launchdarkly","launchdarkly-docker-image","launchdarkly-integration","managed-by-terraform"],"latest_commit_sha":null,"homepage":"https://launchdarkly.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/launchdarkly.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-11-06T18:32:54.000Z","updated_at":"2025-10-13T13:26:39.000Z","dependencies_parsed_at":"2023-02-15T10:31:21.815Z","dependency_job_id":"2f2b8edf-e6ee-4829-ba9c-53928689952f","html_url":"https://github.com/launchdarkly/ld-find-code-refs","commit_stats":{"total_commits":520,"total_committers":28,"mean_commits":"18.571428571428573","dds":0.7980769230769231,"last_synced_commit":"04272e4846ead5113edd1337bc3e144cc0dd9b00"},"previous_names":["launchdarkly/git-flag-parser"],"tags_count":74,"template":false,"template_full_name":null,"purl":"pkg:github/launchdarkly/ld-find-code-refs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/launchdarkly%2Fld-find-code-refs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/launchdarkly%2Fld-find-code-refs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/launchdarkly%2Fld-find-code-refs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/launchdarkly%2Fld-find-code-refs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/launchdarkly","download_url":"https://codeload.github.com/launchdarkly/ld-find-code-refs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/launchdarkly%2Fld-find-code-refs/sbom","scorecard":{"id":579915,"data":{"date":"2025-08-11","repo":{"name":"github.com/launchdarkly/ld-find-code-refs","commit":"295c167a0e96a98772a6ac69dbec1b15b5391762"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.8,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/gosec.yml:11","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/lint-pr-title.yml:12","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":8,"reason":"binaries present in source code","details":["Warn: binary detected: vendor/github.com/wasilibs/go-re2/internal/wasm/libcre2.wasm:1","Warn: binary detected: vendor/github.com/wasilibs/go-re2/internal/wasm/memory.wasm:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.14.0 not signed: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/239765638","Warn: release artifact v2.13.0 not signed: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/191534897","Warn: release artifact v2.12.0 not signed: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/148929174","Warn: release artifact v2.11.10 not signed: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/146636283","Warn: release artifact v2.11.9 not signed: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/144717393","Warn: release artifact v2.14.0 does not have provenance: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/239765638","Warn: release artifact v2.13.0 does not have provenance: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/191534897","Warn: release artifact v2.12.0 does not have provenance: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/148929174","Warn: release artifact v2.11.10 does not have provenance: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/146636283","Warn: release artifact v2.11.9 does not have provenance: https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/144717393"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":3,"reason":"dependency not pinned by hash detected -- score normalized to 3","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/gosec.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/launchdarkly/ld-find-code-refs/gosec.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/launchdarkly/ld-find-code-refs/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/launchdarkly/ld-find-code-refs/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/launchdarkly/ld-find-code-refs/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/launchdarkly/ld-find-code-refs/release.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating alpine:3.22.1 to alpine:3.22.1@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: containerImage not pinned by hash: Dockerfile.bitbucket:1: pin your Docker image by updating alpine:3.22.1 to alpine:3.22.1@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: containerImage not pinned by hash: Dockerfile.github:1: pin your Docker image by updating alpine:3.22.1 to alpine:3.22.1@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: containerImage not pinned by hash: build/metadata/github-actions/Dockerfile:1: pin your Docker image by updating launchdarkly/ld-find-code-refs-github-action:2.14.0 to launchdarkly/ld-find-code-refs-github-action:2.14.0@sha256:14c74823e2e52dffeca67c1bea7c0ff7475da6df5069bb80fb0b946c4d75dcf9","Warn: goCommand not pinned by hash: vendor/github.com/go-git/go-git/v5/oss-fuzz.sh:20","Warn: npmCommand not pinned by hash: .github/workflows/main.yml:20","Warn: goCommand not pinned by hash: .github/workflows/main.yml:25","Warn: npmCommand not pinned by hash: .github/workflows/main.yml:66","Info:   4 out of   5 GitHub-owned GitHubAction dependencies pinned","Info:   3 out of   7 third-party GitHubAction dependencies pinned","Info:   0 out of   4 containerImage dependencies pinned","Info:   2 out of   4 goCommand dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-20T18:55:55.673Z","repository_id":37382004,"created_at":"2025-08-20T18:55:55.674Z","updated_at":"2025-08-20T18:55:55.674Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280207179,"owners_count":26290616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-21T02:00:06.614Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","launchdarkly","launchdarkly-docker-image","launchdarkly-integration","managed-by-terraform"],"created_at":"2025-10-21T04:44:09.086Z","updated_at":"2025-10-21T04:44:10.508Z","avatar_url":"https://github.com/launchdarkly.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ld-find-code-refs\n\nCommand line program for generating flag code references.\n\nThis repository provides solutions for configuring [LaunchDarkly code references](https://docs.launchdarkly.com/home/code/code-references) with various systems out-of-the-box, as well as the ability to automate code reference discovery on your own infrastructure using the provided command line interface.\n\n### Documentation quick links\n\n- [Feature guide](https://docs.launchdarkly.com/home/code/code-references)\n- [Turn-key configuration options](#turn-key-configuration-options)\n- [Execution via CLI](#execution-via-cli)\n  - [Prerequisites](#prerequisites)\n  - [Installing](#installing)\n    - [MacOS](#macOS)\n    - [Linux](#linux)\n    - [Windows](#windows)\n    - [Docker](#docker)\n- [Federal environments](#using-code-references-in-federal-environments)\n- [Configuration](#cli-configuration)\n  - [Required arguments](docs/CONFIGURATION.md#required-arguments)\n  - [All arguments](docs/CONFIGURATION.md#command-line)\n  - [Using environment variables](docs/CONFIGURATION.md#environment-variables)\n  - [Using a YAML file](docs/CONFIGURATION.md#YAML)\n  - [Aliases](docs/ALIASES.md)\n  - [Delimiters](docs/CONFIGURATION.md#delimiters)\n  - [Ignoring files and directories](docs/CONFIGURATION.md#ignoring-files-and-directories)\n- [Searching for unused flags](#searching-for-unused-flags-extinctions)\n- [Branch garbage collection](#branch-garbage-collection)\n\n## Turn-key Configuration options\n\nWe provide turnkey support for common trigger mechanisms and CI/CD providers. You can also invoke the `ld-find-code-refs` utility from the command line, which can be run in any custom workflow you define, such as from a bash script or a cron job.\n\n| System           | Status                                                                                |\n| ---------------- | ------------------------------------------------------------------------------------- |\n| GitHub Actions   | [Supported](https://docs.launchdarkly.com/home/code/github-actions)                   |\n| CircleCI Orbs    | [Supported](https://docs.launchdarkly.com/home/code/circleci)                    |\n| Bitbucket Pipes  | [Supported](https://docs.launchdarkly.com/home/code/bitbucket)         |\n| GitLab CI        | [Supported](https://docs.launchdarkly.com/home/code/gitlab) |\n| Manually via CLI | [Supported](https://docs.launchdarkly.com/home/code/custom-config)     |\n\n## Execution via CLI\n\nThe command line program may be run manually, and executed in an environment of your choosing. The program requires your `git` repo to be cloned locally, and the currently checked out branch will be scanned for code references.\n\nWe recommend incorporating `ld-find-code-refs` into your CI/CD build process. `ld-find-code-refs` should run whenever a commit is pushed to your repository.\n\n### Prerequisites\n\nIf you are scanning a git repository, `ld-find-code-refs` requires git (tested with version 2.21.0) to be installed on the system path.\n\nAll turn-key configuration methods (docker images used by services like CircleCI or GitHub actions) come with git preinstalled.\n\n### Installing\n\n#### macOS\n\n```bash\nbrew tap launchdarkly/tap\nbrew install ld-find-code-refs\n```\n\nYou can now run `ld-find-code-refs`.\n\n#### Linux\n\nWe do not yet have repositories set up for our linux packages, but we do upload deb and rpm packages with our [github releases](https://github.com/launchdarkly/ld-find-code-refs/releases/latest).\n\n##### Ubuntu\n\nThis shell script can be used to download and install `ld-find-code-refs` on Ubuntu.\n\n```bash\nwget -qO- https://api.github.com/repos/launchdarkly/ld-find-code-refs/releases/latest \\\n\t| grep \"browser_download_url\" \\\n\t| grep \"amd64.deb\" \\\n\t| cut -d'\"' -f4 \\\n\t| wget -qi - -O ld-find-code-refs.amd64.deb\n\ndpkg -i ld-find-code-refs.amd64.deb\n```\n\n#### Windows\n\nA Windows executable of `ld-find-code-refs` is available on the [releases page](https://github.com/launchdarkly/ld-find-code-refs/releases/latest). \n\n#### Docker\n\n`ld-find-code-refs` is available as a [docker image](https://hub.docker.com/r/launchdarkly/ld-find-code-refs). The image provides an entrypoint for `ld-find-code-refs`, to which command line arguments may be passed. If using the entrypoint, your repository to be scanned should be mounted as a volume. Otherwise, you may override the entrypoint and access `ld-find-code-refs` directly from the shell.\n\n```bash\ndocker pull launchdarkly/ld-find-code-refs\ndocker run \\\n  -v /path/to/your/repo:/repo \\\n  launchdarkly/ld-find-code-refs \\\n  --dir=\"/repo\"\n```\n\n#### Manual\n\nPrecompiled binaries for the latest release can be found [here](https://github.com/launchdarkly/ld-find-code-refs/releases/latest). Be sure to install the required [dependencies](#prerequisities) before running `ld-find-code-refs`.\n\n### Using code references in federal environments\n\nIf you are using the FedRAMP compliant [LaunchDarkly federal instance](https://docs.launchdarkly.com/home/advanced/federal), the `ld-find-code-refs` binary should be compiled with FIPS 140-2 support by using a tool like [Go+BoringCrypto](https://github.com/golang/go/tree/dev.boringcrypto/misc/boring).\n\n### Configuration\n\n`ld-find-code-refs` provides a number of configuration options to customize how code references are generated and surfaced in your LaunchDarkly dashboard.\n\n- [All configuration options are documented in CONFIGURATION.md](docs/CONFIGURATION.md)\n- [Common configuration examples are documented in EXAMPLES.md](docs/EXAMPLES.md)\n- [Detailed information on configuring feature flag aliases is documented in ALIASES.md](docs/ALIASES.md)\n\n### Searching for unused flags (extinctions)\n\nAfter scanning has completed, `ld-find-code-refs` will search the Git commit history for flags that have become extinct. A flag is considered extinct in a repository if there were code references for the flag at some point in time that were removed. This behavior can be configured to disable or control how many commits will be searched for extinct flags using the [lookback](docs/CONFIGURATION.md#command-line) argument. Extinct flags will be surfaced in the LaunchDarkly UI.\n\n### Branch garbage collection\n\nAfter scanning has completed, `ld-find-code-refs` will search for and prune code reference data for stale branches. A branch is considered stale if it has references in LaunchDarkly, but no longer exists on the Git remote. As a consequence of this behavior, any code references on local branches or branches belonging only to a remote other than the default one will be removed the next time `ld-find-code-refs` is run on a different branch.\n\nStale branches may also be removed manually with the `ld-find-code-refs prune` subcommand.\n\nThis operation requires your environment to be authenticated for remote access to your repository. Branch cleanup is not currently supported when running `ld-find-code-refs` with Bitbucket pipelines.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flaunchdarkly%2Fld-find-code-refs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flaunchdarkly%2Fld-find-code-refs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flaunchdarkly%2Fld-find-code-refs/lists"}