Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/andyfeller/gh-dependency-report
GitHub CLI extension for generating a report on repository dependencies.
https://github.com/andyfeller/gh-dependency-report
dependency-graph gh-extension go golang
Last synced: 3 months ago
JSON representation
GitHub CLI extension for generating a report on repository dependencies.
- Host: GitHub
- URL: https://github.com/andyfeller/gh-dependency-report
- Owner: andyfeller
- License: mit
- Created: 2021-12-28T13:17:23.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-09-18T13:37:45.000Z (about 1 year ago)
- Last Synced: 2024-06-19T05:36:29.329Z (5 months ago)
- Topics: dependency-graph, gh-extension, go, golang
- Language: Go
- Homepage:
- Size: 2.61 MB
- Stars: 37
- Watchers: 4
- Forks: 3
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# gh-dependency-report
A `gh` extension to generate report of repository manifests and dependencies discovered through GitHub's [software supply chain](https://docs.github.com/en/code-security/supply-chain-security) capabilities.
## Quickstart
1. `gh extension install andyfeller/gh-dependency-report`
1. `gh dependency-report $(whoami)`
1. Profit! :moneybag: :money_with_wings: :money_mouth_face: :money_with_wings: :moneybag:
## Usage
Pulling [manifests](https://docs.github.com/en/graphql/reference/objects#dependencygraphmanifest) and [dependencies](https://docs.github.com/en/graphql/reference/objects#dependencygraphdependency) including [license info](https://docs.github.com/en/graphql/reference/objects#license) around [repositories](https://docs.github.com/en/graphql/reference/objects#repository) from [GitHub's GraphQL API](https://docs.github.com/en/graphql/reference/). This is only works for repositories that have [enabled the dependency graph feature](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#enabling-the-dependency-graph).
The result is a CSV that companies and individuals can use to attest to software licenses in use, making the jobs of platform engineering, legal, security, and auditors easier.
```shell
$ gh dependency-report --help
Generate report of repository manifests and dependencies discovered through the dependency graph
Usage:
gh-dependency-report [flags] owner [repo ...]
Flags:
-d, --debug Whether to debug logging
-e, --exclude strings Repositories to exclude from report
-h, --help help for gh-dependency-report
-o, --output-file string Name of file to write CSV report (default "report-20220216081518.csv")
```
The resulting CSV file contains the most common information used for these purposes:
Owner- Login name of the organization or user that owns the repository
-
Examples:
andyfellergithubcli
Repo- Name of the repository containing the manifest; does not duplicate owner information
-
Examples:
-
gh-dependency-report(forandyfeller/gh-dependency-report) -
codeql(forgithub/codeql) -
cli(forcli/cli)
-
Manifest- Fully qualified manifest filename
-
Examples:
go.mod
.github/workflows/release.yml
package.json
Exceeds Max Size- Is the manifest too big to parse?
Parseable- Were we able to parse the manifest?
Package Manager- The dependency package manager.
-
Examples:
ACTIONS
COMPOSER
GO
MAVEN
NPM
NUGET
PIP
RUBYGEMS
Dependency-
The name of the package in the canonical form used by the package manager. This may differ from the original textual form (see packageLabel), for example in a package manager that uses case-insensitive comparisons.
-
Examples:
actions/checkout(actions)
github.com/spf13/cobra(go)
@actions/core(npm)
Has Dependencies?- Does the dependency itself have dependencies?
Requirements- The dependency version requirements.
License- Short identifier specified by https://spdx.org/licenses.
License Url- URL to the license on https://choosealicense.com.
### Example Report
The following is an example of a report generated around my own personal repositories:
Example report on andyfeller
```
Owner,Repo,Manifest,Exceeds Max Size,Parseable,Package Manager,Dependency,Has Dependencies?,Requirements,License,License Url
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/go-gh,true,= 0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/safeexec,false,= 1.0.0,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/shurcooL-graphql,true,= 0.0.1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/henvic/httpretty,false,= 0.0.6,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/inconshreveable/mousetrap,false,= 1.0.0,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/cobra,true,= 1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/pflag,false,= 1.0.5,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/atomic,true,= 1.9.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/multierr,true,= 1.7.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/zap,true,= 1.20.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,golang.org/x/net,false,= 0.0.0-20211112202133-69e39bad7dc2,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,gopkg.in/yaml.v3,true,= 3.0.0-20210107192922-496545a6307b,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/benbjohnson/clock,false,= v1.1.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/go-gh,true,= v0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/safeexec,false,= v1.0.0,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/shurcooL-graphql,true,= v0.0.1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/davecgh/go-spew,false,= v1.1.1,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/henvic/httpretty,false,= v0.0.6,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/inconshreveable/mousetrap,false,= v1.0.0,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/pretty,true,= v0.2.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/text,true,= v0.1.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/MakeNowJust/heredoc,false,= v1.0.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pkg/errors,false,= v0.8.1,BSD-2-Clause,http://choosealicense.com/licenses/bsd-2-clause/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pmezard/go-difflib,false,= v1.0.0,NOASSERTION,http://choosealicense.com/licenses/other/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/cobra,true,= v1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/pflag,false,= v1.0.5,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/stretchr/testify,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/atomic,true,= v1.9.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/goleak,true,= v1.1.11,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/multierr,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/zap,true,= v1.20.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,golang.org/x/net,false,= v0.0.0-20211112202133-69e39bad7dc2,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/check.v1,true,= v1.0.0-20190902080502-41f04d3bba15,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v2,true,= v2.4.0,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v3,true,= v3.0.0-20210107192922-496545a6307b,,
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/
```
## Setup
Like any other `gh` CLI extension, `gh-dependency-report` is trivial to install or upgrade and works on most operating systems:
- **Installation**
```shell
gh extension install andyfeller/gh-dependency-report
```
_For more information: [`gh extension install`](https://cli.github.com/manual/gh_extension_install)_
- **Upgrade**
```shell
gh extension upgrade gh-dependency-report
```
_For more information: [`gh extension upgrade`](https://cli.github.com/manual/gh_extension_upgrade)_