https://github.com/zstyblik/dependabot-report
dependabot-report is a script which fetches data from GitHub API and generates a static HTML page
https://github.com/zstyblik/dependabot-report
dependabot github reporting-tool
Last synced: 8 months ago
JSON representation
dependabot-report is a script which fetches data from GitHub API and generates a static HTML page
- Host: GitHub
- URL: https://github.com/zstyblik/dependabot-report
- Owner: zstyblik
- License: mit
- Created: 2024-09-16T20:54:26.000Z (almost 2 years ago)
- Default Branch: master
- Last Pushed: 2025-09-22T07:33:01.000Z (9 months ago)
- Last Synced: 2025-10-06T12:46:13.642Z (9 months ago)
- Topics: dependabot, github, reporting-tool
- Language: Python
- Homepage:
- Size: 719 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# dependabot report
dependabot report is a tool I wish I had, or at least thought so. Imagine
yourself working for a software company which has more than 10 repositories on
GitHub. GitHub sends you "Your Dependabot alerts for today" for 10 repositories
and as for the rest of repositories you're on your own. Happy click through!
Yes, in ideal world everything would be patched and updated immediately.
However, some of us aren't there yet.
![dependabot_report_demo][dependabot_report_demo]
dependabot report is a simple script which fetches data from GitHub API and
presents it as a static HTML page(minus bootstrap and GitHub avatars). And
that's pretty much it. Could it be more complex with more moving parts? It
absolutely could. However, this is good enough for PoC/demo and for now.
## Dependencies
* [Jinja2]
* [PyGithub]
* [bootstrap] which is loaded from their(!) CDN
* [GitHub avatars] which will be loaded directly from GitHub when report is
viewed
## GitHub token and permissions
Currently only authentication via token is supported.
### Classic token
When used with classic token then at least `repo:public_repo` permission is
required. I guess that `repo` permission is required in order to access private
repositories since `repo:public_repo` limits access to only to public
repositories. I suggest to use fine-grained personal access token instead.
### Fine-grained personal access token
When used with fine-grained personal access token then read access to
dependabot alerts and metadata(which is mandatory anyway) is required.
Whether you grant access only to public, all or selected repositories, is up to
you.
## Usage
Read GitHub token from ENV variable:
```
export MY_TOKEN=123456
python3 dependabot_report.py \
--github-token-provider 'env:MY_TOKEN' \
--include-repo-owner \
--output-file report.html
```
or read GitHub token from file:
```
python3 dependabot_report.py \
--github-token-provider 'file:my-token.txt' \
--include-repo-owner \
--output-file report.html
```
## License
MIT
[Jinja2]: https://pypi.org/project/Jinja2/
[PyGithub]: https://pypi.org/project/PyGithub/
[bootstrap]: https://getbootstrap.com
[GitHub avatars]: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile
[dependabot_report_demo]: ../assets/dependabot_report_demo.png?raw=true