{"id":30302652,"url":"https://github.com/soderlind/gh-sbom","last_synced_at":"2025-08-17T05:09:53.394Z","repository":{"id":297114797,"uuid":"995709444","full_name":"soderlind/gh-sbom","owner":"soderlind","description":"A bash script to generate Software Bill of Materials (SBOM) for all repositories owned by a GitHub user or organization using the GitHub CLI.","archived":false,"fork":false,"pushed_at":"2025-06-03T23:14:06.000Z","size":14,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-16T06:58:30.973Z","etag":null,"topics":["gh-cli","sbom"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/soderlind.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-03T22:36:22.000Z","updated_at":"2025-06-03T23:12:55.000Z","dependencies_parsed_at":"2025-06-04T06:48:02.813Z","dependency_job_id":"b05f3ebd-1a02-46d4-adf6-bfd84a4e877a","html_url":"https://github.com/soderlind/gh-sbom","commit_stats":null,"previous_names":["soderlind/gh-sbom"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/soderlind/gh-sbom","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soderlind%2Fgh-sbom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soderlind%2Fgh-sbom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soderlind%2Fgh-sbom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soderlind%2Fgh-sbom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/soderlind","download_url":"https://codeload.github.com/soderlind/gh-sbom/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/soderlind%2Fgh-sbom/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270807934,"owners_count":24649346,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-17T02:00:09.016Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gh-cli","sbom"],"created_at":"2025-08-17T05:09:52.601Z","updated_at":"2025-08-17T05:09:53.356Z","avatar_url":"https://github.com/soderlind.png","language":"Shell","readme":"# GitHub SBOM Collection Script\n\nA bash script to generate Software Bill of Materials (SBOM) for all repositories owned by a GitHub user or organization using the GitHub CLI.\n\n## Prerequisites\n\n1. **GitHub CLI (gh)**: Install using Homebrew ([other platforms](https://github.com/cli/cli#installation) are also supported)\n   ```bash\n   brew install gh\n   ```\n\n2. **Authentication**: Login to GitHub CLI\n   ```bash\n   gh auth login\n   ```\n\n3. **jq**: JSON processor, usually pre-installed on macOS ([other platforms](https://jqlang.org/download/) are also supported)\n   ```bash\n   brew install jq  # if not available\n   ```\n\n## Usage\n\n```bash\n./gh-sbom-all.sh \u003crepo-owner\u003e\n```\n\n### Examples\n\n```bash\n# Generate SBOMs for Microsoft's repositories\n./gh-sbom-all.sh microsoft\n\n# Generate SBOMs for a specific user\n./gh-sbom-all.sh octocat\n\n# Generate SBOMs for your organization\n./gh-sbom-all.sh my-org-name\n\n# Run in background with progress monitoring\nnohup ./gh-sbom-all.sh my-org-name \u003e debug_run.log 2\u003e\u00261 \u0026\n./monitor_progress.sh  # In a separate terminal\n```\n\n## Output\n\nThe script creates:\n\n- **Output Directory**: `sbom-output/`\n- **SBOM Files**: `{repo-name}-YYYY-MM-DD.json`\n- **Log File**: `sbom-generation-log-YYYY-MM-DD.txt`\n\n### Example Output Structure\n```\nsbom-output/\n├── repo1-2025-06-04.json\n├── repo2-2025-06-04.json\n├── repo3-2025-06-04.json\n├── sbom-generation-log-2025-06-04.txt\n└── debug_run.log (when running with nohup)\n```\n\n## Files Created\n\n| File | Description |\n|------|-------------|\n| `{repo-name}-YYYY-MM-DD.json` | Individual SBOM files for each repository |\n| `sbom-generation-log-YYYY-MM-DD.txt` | Main execution log with timestamps |\n| `debug_run.log` | Debug output when running script in background |\n| `monitor_progress.sh` | Progress monitoring utility script |\n\n## Features\n\n- ✅ **Input Validation**: Validates repository owner exists\n- ✅ **Prerequisites Check**: Verifies GitHub CLI installation and authentication\n- ✅ **Repository Discovery**: Fetches all active (non-archived) repositories\n- ✅ **SBOM Generation**: Creates SBOM for each repository using `gh api \"repos/OWNER/REPO/dependency-graph/sbom`\n- ✅ **Error Handling**: Comprehensive error handling and retry logic\n- ✅ **Progress Tracking**: Real-time progress indicators and logging\n- ✅ **Rate Limiting**: Handles GitHub API rate limits gracefully\n- ✅ **Filename Sanitization**: Safe filename generation for all repository names\n- ✅ **Summary Report**: Detailed execution summary with statistics\n- ✅ **Graceful Interruption**: Handles Ctrl+C with partial summary\n\n## Script Behavior\n\n### Repository Filtering\n- Automatically excludes archived repositories\n- Only processes accessible repositories\n\n### Error Handling\n- **Repository Not Found**: Logs warning and continues\n- **Access Denied**: Logs error and continues\n- **Rate Limiting**: Waits and retries automatically\n- **Network Issues**: Logs error with details\n- **Invalid JSON**: Validates SBOM output\n\n### Logging Levels\n- 🔵 **INFO**: General information and progress\n- 🟢 **SUCCESS**: Successful operations\n- 🟡 **WARNING**: Non-critical issues\n- 🔴 **ERROR**: Critical errors\n\n## Troubleshooting\n\n### Common Issues\n\n1. **\"GitHub CLI is not authenticated\"**\n   ```bash\n   gh auth login\n   ```\n\n2. **\"Repository owner not found\"**\n   - Verify the username/organization exists\n   - Check spelling and case sensitivity\n\n3. **Rate Limiting**\n   - Script automatically handles rate limits\n   - For high-volume processing, consider running during off-peak hours\n\n4. **Permission Denied**\n   - Some repositories may not be accessible\n   - Private repositories require appropriate permissions\n\n### Checking GitHub CLI Status\n```bash\n# Check authentication\ngh auth status\n\n# Check available repositories\ngh repo list YOUR-USERNAME --limit 5\n\n# Test SBOM generation\ngh api repos/YOUR-USERNAME/YOUR-REPO/dependency-graph/sbom\n```\n\n## Monitoring Progress\n\nThe script includes a progress monitoring utility to track execution status:\n\n```bash\n# Run the monitoring script in a separate terminal\n./monitor_progress.sh\n```\n\n### Progress Monitoring Features\n- Real-time progress updates every 30 seconds\n- Shows current repository being processed (e.g., \"Processing repository 72/145 (50%)\")\n- Automatically detects when the main script completes\n- Runs independently of the main SBOM generation script\n\n### Manual Progress Checking\n```bash\n# Check current progress in debug log\ntail -5 debug_run.log\n\n# View latest log entries\ntail -10 sbom-output/sbom-generation-log-YYYY-MM-DD.txt\n\n# Count completed repositories\nls sbom-output/*.json | wc -l\n```\n\n## Performance Considerations\n\n- **Repository Count**: Script handles up to 1000 repositories per owner\n- **Rate Limiting**: Built-in delays and retry logic\n- **Execution Time**: Varies based on repository count and GitHub API response times\n- **Disk Space**: Each SBOM file ranges from a few KB to several MB\n\n## Security Notes\n\n- SBOMs may contain sensitive dependency information\n- Store generated files securely\n- Review access permissions for private repositories\n- Consider data retention policies for SBOM files\n\n## Script Limitations\n\n- Maximum 1000 repositories per owner (GitHub CLI limitation)\n- Requires network connectivity throughout execution\n- Dependent on GitHub API availability\n- Some repositories may not have SBOM data available\n\n## License\n\nThis script is provided as-is for educational and operational purposes.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoderlind%2Fgh-sbom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoderlind%2Fgh-sbom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoderlind%2Fgh-sbom/lists"}