{"id":18067221,"url":"https://github.com/mnahkies/spdx-dependency-track","last_synced_at":"2025-10-06T13:58:20.474Z","repository":{"id":234946114,"uuid":"789762119","full_name":"mnahkies/spdx-dependency-track","owner":"mnahkies","description":"A simple application to crawl your Github repositories, export SBOM's in SPDX format, and ingest these for licensing analysis.","archived":false,"fork":false,"pushed_at":"2025-05-17T12:00:38.000Z","size":2240,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-05-17T13:19:14.407Z","etag":null,"topics":["github","sbom","spdx","spdx-license"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mnahkies.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-04-21T13:45:42.000Z","updated_at":"2025-05-17T12:00:42.000Z","dependencies_parsed_at":"2024-04-21T18:43:19.718Z","dependency_job_id":"8b600765-016f-4729-befd-9f540da79533","html_url":"https://github.com/mnahkies/spdx-dependency-track","commit_stats":null,"previous_names":["mnahkies/spdx-dependency-track"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mnahkies/spdx-dependency-track","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnahkies%2Fspdx-dependency-track","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnahkies%2Fspdx-dependency-track/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnahkies%2Fspdx-dependency-track/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnahkies%2Fspdx-dependency-track/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mnahkies","download_url":"https://codeload.github.com/mnahkies/spdx-dependency-track/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnahkies%2Fspdx-dependency-track/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278621841,"owners_count":26017253,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","sbom","spdx","spdx-license"],"created_at":"2024-10-31T07:08:05.502Z","updated_at":"2025-10-06T13:58:20.469Z","avatar_url":"https://github.com/mnahkies.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# spdx-dependency-track (pre-alpha)\n\nA simple application to crawl your Github repositories, export SBOMs in SPDX format,\nand ingest these for licensing analysis.\n\nNote: I take no responsibility for the legal correctness of the output of this tool. I would\nalso caution that the SPDX files produced by Github seem a bit rough around the edges at times.\n\nThis project is very early stage - it's pretty rough around the edges, has no tests, and is\nlimited in features. Expect a bunch of breaking changes as I learn more about the world of processing SBOMs.\n\n\u003c!-- toc --\u003e\n\n- [Features](#features)\n- [Future](#future)\n- [Running it](#running-it)\n- [Screenshots](#screenshots)\n- [Architecture / Notes](#architecture--notes)\n- [Acknowledgements / References](#acknowledgements--references)\n\n\u003c!-- tocstop --\u003e\n\n## Features\n\n- Crawl Github repositories extracting SBOM's using a PAT (Github Personal Access Token)\n- Fills in gaps for `npm` packages by reading metadata from the NPM Registry directly\n- Render back summary and detail views, including risk categories\n\n## Future\n\n- More filtering, sorting, etc options\n- Export to CSV / spreadsheet report\n- Allow upload of a SPDX file directly rather than crawling Github\n- Allow overriding data, eg: correct a license\n- Pull in CVE alerts\n- Tidy up the API, it's a bit haphazard right now\n- Add tests\n\n## Running it\n\nFirst, run the development server:\n\n```bash\ncorepack enable\nyarn\ncp .env.example .env # modify settings as needed\nyarn dev\n```\n\nOpen [http://localhost:3000](http://localhost:3000) to use the application.\nData will be written to the sqlite db specified by `DB_PATH`.\n\n## Screenshots\n\n\u003cimg src=\"./docs/01-scan-github.png\" alt=\"enter a github PAT to scan visible repos\"/\u003e\n\u003cimg src=\"./docs/02-repository-summary.png\" alt=\"see top level summary of your dependencies licensing\"/\u003e\n\u003cimg src=\"./docs/03-repository-scan-details.png\" alt=\"drill down to individual dependencies\"/\u003e\n\n## Architecture / Notes\n\n- Implemented as a single [NextJS](https://nextjs.org/) application.\n- [mui](https://mui.com/) is used as the component library\n- [sqlite](https://sqlite.org/) is used as the database for data persistence\n- Database migrations are generated/managed by [atlas](https://atlasgo.io/), see [migrate.sh](./bin/migrate.sh) / [migrate-generate.sh](./bin/migrate-generate.sh)\n- Database schema is introspected to produce [zod](https://zod.dev/) schemas for each table, using a script I haven't published anywhere yet\n- An basic [openapi.yaml](./openapi.yaml) specification is used to generate most of the client/server glue using [experimental nextjs template](https://github.com/mnahkies/openapi-code-generator/pull/152)\n- [mnahkies/openapi-code-generator](https://github.com/mnahkies/openapi-code-generator) is also used to generate the Github client\n- License data was scraped from [dependency-track](https://github.com/DependencyTrack/dependency-track)\n\n## Acknowledgements / References\n\n- [dependency-track](https://github.com/DependencyTrack/dependency-track)\n- [spdx-spec](https://spdx.github.io/spdx-spec/v2.3/)\n- [github docs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmnahkies%2Fspdx-dependency-track","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmnahkies%2Fspdx-dependency-track","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmnahkies%2Fspdx-dependency-track/lists"}