{"id":51060075,"url":"https://github.com/patrick204nqh/triagekit","last_synced_at":"2026-06-23T01:01:32.861Z","repository":{"id":363266311,"uuid":"1259937534","full_name":"patrick204nqh/triagekit","owner":"patrick204nqh","description":"Backend-free repo triage in one self-contained HTML file — GitHub Dependabot alerts, code scanning, PRs \u0026 issues, scored and tiered. No server, no CDN; your token stays in the browser.","archived":false,"fork":false,"pushed_at":"2026-06-08T06:46:04.000Z","size":13483,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-08T07:25:48.630Z","etag":null,"topics":["appsec","cli","code-scanning","dashboard","dependabot","devsecops","github","security","security-tools","self-hosted","single-file","static-site","triage","vulnerability-management"],"latest_commit_sha":null,"homepage":"https://patrick204nqh.github.io/triagekit/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patrick204nqh.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-05T02:21:17.000Z","updated_at":"2026-06-08T06:47:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/patrick204nqh/triagekit","commit_stats":null,"previous_names":["patrick204nqh/triagekit"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/patrick204nqh/triagekit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrick204nqh%2Ftriagekit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrick204nqh%2Ftriagekit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrick204nqh%2Ftriagekit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrick204nqh%2Ftriagekit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patrick204nqh","download_url":"https://codeload.github.com/patrick204nqh/triagekit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patrick204nqh%2Ftriagekit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34671045,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-22T02:00:06.391Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","cli","code-scanning","dashboard","dependabot","devsecops","github","security","security-tools","self-hosted","single-file","static-site","triage","vulnerability-management"],"created_at":"2026-06-23T01:01:32.025Z","updated_at":"2026-06-23T01:01:32.853Z","avatar_url":"https://github.com/patrick204nqh.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cpicture\u003e\n    \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"assets/logo.svg\" /\u003e\n    \u003cimg alt=\"triagekit\" src=\"assets/logo-light.svg\" width=\"300\" /\u003e\n  \u003c/picture\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cem\u003eBackend-free repo triage. One HTML file.\u003c/em\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://www.npmjs.com/package/triagekit\"\u003e\u003cimg alt=\"npm\" src=\"https://img.shields.io/npm/v/triagekit?color=2E9E96\u0026labelColor=0A0A0B\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/patrick204nqh/triagekit/actions/workflows/ci.yml\"\u003e\u003cimg alt=\"CI\" src=\"https://github.com/patrick204nqh/triagekit/actions/workflows/ci.yml/badge.svg\" /\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg alt=\"License: MIT\" src=\"https://img.shields.io/badge/license-MIT-2E9E96?labelColor=0A0A0B\" /\u003e\u003c/a\u003e\n  \u003ca href=\"https://patrick204nqh.github.io/triagekit/\"\u003e\u003cimg alt=\"Live demo\" src=\"https://img.shields.io/badge/demo-Pages-2E9E96?labelColor=0A0A0B\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n`triagekit` compiles into a single, self-contained HTML dashboard that runs entirely in\nthe browser — no backend, no build server, no third-party scripts, and no token baked in\n(you paste your own at runtime). GitHub is the first provider: it groups what you triage\ninto **Findings** (Dependabot alerts, code scanning) and **Work** (pull requests, issues),\neach scored, tiered, and sortable from a data-driven toolbar. PRs and issues open a review\npanel with avatars and full-Markdown bodies; an optional **Insights** view swaps the table\nfor compositional charts.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://patrick204nqh.github.io/triagekit/app/\"\u003e\n    \u003cimg alt=\"triagekit walkthrough — Dependencies findings, Insights charts, Code scanning, and the PR review panel\" src=\"site/screenshots/walkthrough.gif\" width=\"820\" /\u003e\n  \u003c/a\u003e\n  \u003cbr /\u003e\n  \u003cem\u003e\u003ca href=\"https://patrick204nqh.github.io/triagekit/\"\u003eLive demo →\u003c/a\u003e · screenshots use fictional \u003ccode\u003eacme-corp\u003c/code\u003e data — the tool never ships or commits real repo names or tokens.\u003c/em\u003e\n\u003c/p\u003e\n\n## Quickstart\n\n```bash\nnpx triagekit build --generic    # writes dist/triage.html\nopen dist/triage.html            # or double-click — it's just a file\n```\n\nIn the page, open **Settings** (⚙) and connect a **fine-grained personal access token**\nwith read access to the resources you triage (Dependabot alerts, code scanning, pull\nrequests, issues), then use **\"Find repositories I can access\"** to pick your repos and\nclick **Load**. Your scope persists locally; the token stays in this tab only.\n\nA prebuilt generic dashboard is also hosted at the [live demo](https://patrick204nqh.github.io/triagekit/) — connect a token and go, nothing to install.\n\n## Build modes\n\n| Mode | Command | Scope | Safe to share publicly? |\n| --- | --- | --- | --- |\n| **Generic** | `triagekit build --generic` | chosen at runtime in **Settings** | ✅ nothing source-specific is baked in |\n| **Compiled** | `triagekit build` | a `scope` bag baked from `triage.config.yml` | ⚠ contains your repo names — team-internal only |\n\nGeneric mode is the general-purpose tool: build once, hand the HTML to anyone, and each\nuser connects a token and picks their repos. Compiled mode pre-bakes a specific scope for a\nturnkey team dashboard. **Neither mode ever embeds a token** — each user always pastes\ntheir own.\n\n## Configuration (compiled mode)\n\n```bash\ncp triage.config.example.yml triage.config.yml   # the copy is gitignored\n$EDITOR triage.config.yml                         # set your scope + branding\nnpx triagekit build                               # writes dist/triage.html\n```\n\n```yaml\nsource: github\n# Compiled mode bakes a per-source scope bag (no token is ever embedded).\nscope:\n  repos:\n    - acme-corp/web-app\n    - acme-corp/api-gateway\n    - acme-corp/billing-service\nviews:\n  - code-security        # security findings: Dependabot + code scanning\n  # - insights           # add to enable the Insights (charts) tab\nbranding:\n  title: \"Acme Triage\"\n# Optional: a JS/TS module exporting scoring overrides.\n# logicHooks: ./triage.hooks.ts\n```\n\n## Security \u0026 token model\n\nThis repository is the **engine** — it contains **no** real org names, repo names,\nhostnames, or tokens; everything that identifies *you* lives in gitignored inputs (see\n[CONTRIBUTING.md](CONTRIBUTING.md#the-public--private-boundary)). The engine has **zero**\ncode path that reads or embeds a credential.\n\n- **You paste your own token at runtime.** It is never read at build time or embedded in\n  the HTML. Credentials are stored **per source** in `sessionStorage` — cleared when you\n  close the tab, never persisted across sessions. Use a fine-grained PAT scoped to only the\n  repos you triage. Never paste a token into a tracked file, screenshot, or commit.\n- **Single file, no external scripts.** The build inlines everything (scripts, fonts) — no\n  CDN. CI fails if any `src=\"http…\"` reference appears in the output.\n- **Strict, hash-based CSP** is computed at build time: `default-src 'none'`, a `script-src`\n  allowing only the inlined script by its `sha256` hash (no `unsafe-inline`), and a\n  `connect-src` limited to the configured provider's API origin.\n\n## Settings\n\nAll configuration lives in the **Settings** slide-over (⚙). The command bar carries a\nscope/health chip, a manual refresh, and a theme toggle; everything else lives in four tabs:\n\n- **Connections** — add one **session-only** credential per source. Scope is schema-driven:\n  discoverable sources (e.g. GitHub repos) offer **\"Find … I can access\"** (cached per\n  credential). Scope is non-secret, so it persists in `localStorage` per source.\n- **Scoring \u0026 priority** — tier cutoffs (P0 / P1 / P2; P3 is the implicit floor) and a\n  per-kind score model — **Simple** weights or an **Advanced** formula over the kind's signals.\n- **Filters** — a bot-account allowlist, so automation noise can be muted on the Work surfaces.\n- **General** — **Appearance** (`Auto` / `Light` / `Dark`), **Auto-refresh** (optional 5- or\n  10-minute snapshot re-fetch with an \"updated *N*m ago\" stamp), and **Data** (clear\n  credentials or saved scope).\n\nCompiled builds seed their baked `scope` automatically, so a turnkey dashboard only needs a token.\n\n## Insights\n\nThe optional **Insights** view (add `insights` to `views`) renders a grid of charts for the\nloaded items — a separate surface so the table stays a clean cockpit.\n\n\u003cp align=\"center\"\u003e\u003cimg alt=\"triagekit Insights — quick-wins ratio, priority distribution, age buckets, top locations\" src=\"site/screenshots/insights.png\" width=\"820\" /\u003e\u003c/p\u003e\n\n- **Snapshot-only.** Every chart is compositional (distribution / ranking / ratio), never a\n  time-series — a backend-free fetch has no history to trend.\n- **Contributed per kind.** Generic charts (priority distribution, age buckets, top\n  locations) apply to everything; `dependency-vuln` adds a fix-available \"quick wins\" ratio\n  and a runtime-vs-development split; `code-scanning` adds open-by-severity and by-tool\n  breakdowns. New sources light up their own charts automatically.\n\n## Customizing the scoring\n\nEach kind ships a transparent built-in scorer (built on the shared `makeSeverityScorer`\nfactory). To override scoring without forking the engine, point `logicHooks` at a module\nexporting a `score` function matching the `Scorer` type — it's bundled into the HTML at build time:\n\n```ts\n// triage.hooks.ts  (gitignored)\nimport type { Scorer } from \"./src/runtime/scoring/registry\";\nimport type { DependencyVulnDetails } from \"./src/runtime/dataset/kinds/dependency-vuln\";\n\nexport const score: Scorer = (item) =\u003e {\n  const d = item.details as DependencyVulnDetails;\n  return d.severity === \"critical\" ? 1000 : item.signal;\n};\n```\n\n## Design\n\nThe visual language — a dark-first operations cockpit (Void Zinc canvas, a single Kelp Teal\naccent, a semantic P0–P3 ramp, monospace numerals) — is documented in\n[DESIGN.md](DESIGN.md). **Space Grotesk** and **JetBrains Mono** are self-hosted and inlined\n(no CDN); the strict CSP allows fonts only via `font-src 'self' data:`.\n\n## Contributing \u0026 license\n\nSetup, the test/lint discipline, and the public/private boundary live in\n[CONTRIBUTING.md](CONTRIBUTING.md). Released under the [MIT](LICENSE) license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatrick204nqh%2Ftriagekit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatrick204nqh%2Ftriagekit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatrick204nqh%2Ftriagekit/lists"}