Skip to content

Latest commit

 

History

History
182 lines (146 loc) · 10.2 KB

README.md

File metadata and controls

182 lines (146 loc) · 10.2 KB

gh-dependency-report

A gh extension to generate report of repository manifests and dependencies discovered through GitHub's software supply chain capabilities.

Demo of gh-dependency-report extension

Quickstart

  1. gh extension install andyfeller/gh-dependency-report
  2. gh dependency-report $(whoami)
  3. Profit! 💰 💸 🤑 💸 💰

Usage

Pulling manifests and dependencies including license info around repositories from GitHub's GraphQL API. This is only works for repositories that have enabled the dependency graph feature.

The result is a CSV that companies and individuals can use to attest to software licenses in use, making the jobs of platform engineering, legal, security, and auditors easier.

 $ gh dependency-report --help

Generate report of repository manifests and dependencies discovered through the dependency graph

Usage:
  gh-dependency-report [flags] owner [repo ...]

Flags:
  -d, --debug                Whether to debug logging
  -e, --exclude strings      Repositories to exclude from report
  -h, --help                 help for gh-dependency-report
  -o, --output-file string   Name of file to write CSV report (default "report-20220216081518.csv")

The resulting CSV file contains the most common information used for these purposes:

Owner
Login name of the organization or user that owns the repository
Examples:
  • andyfeller
  • github
  • cli
Repo
Name of the repository containing the manifest; does not duplicate owner information
Examples:
  • gh-dependency-report (for andyfeller/gh-dependency-report)
  • codeql (for github/codeql)
  • cli (for cli/cli)
Manifest
Fully qualified manifest filename
Examples:
  • go.mod
  • .github/workflows/release.yml
  • package.json
  • Exceeds Max Size
    Is the manifest too big to parse?
    Parseable
    Were we able to parse the manifest?
    Package Manager
    The dependency package manager.
    Examples:
  • ACTIONS
  • COMPOSER
  • GO
  • MAVEN
  • NPM
  • NUGET
  • PIP
  • RUBYGEMS
  • Dependency
    The name of the package in the canonical form used by the package manager. This may differ from the original textual form (see packageLabel), for example in a package manager that uses case-insensitive comparisons.
    Examples:
  • actions/checkout (actions)
  • github.com/spf13/cobra (go)
  • @actions/core (npm)
  • Has Dependencies?
    Does the dependency itself have dependencies?
    Requirements
    The dependency version requirements.
    License
    Short identifier specified by https://spdx.org/licenses.
    License Url
    URL to the license on https://choosealicense.com.

    Example Report

    The following is an example of a report generated around my own personal repositories:

    Example report on andyfeller
    Owner,Repo,Manifest,Exceeds Max Size,Parseable,Package Manager,Dependency,Has Dependencies?,Requirements,License,License Url
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/go-gh,true,= 0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/safeexec,false,= 1.0.0,,
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/shurcooL-graphql,true,= 0.0.1,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/henvic/httpretty,false,= 0.0.6,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/inconshreveable/mousetrap,false,= 1.0.0,,
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/cobra,true,= 1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/pflag,false,= 1.0.5,,
    andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/atomic,true,= 1.9.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/multierr,true,= 1.7.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/zap,true,= 1.20.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.mod,false,true,GO,golang.org/x/net,false,= 0.0.0-20211112202133-69e39bad7dc2,,
    andyfeller,gh-dependency-report,go.mod,false,true,GO,gopkg.in/yaml.v3,true,= 3.0.0-20210107192922-496545a6307b,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/benbjohnson/clock,false,= v1.1.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/go-gh,true,= v0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/safeexec,false,= v1.0.0,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/shurcooL-graphql,true,= v0.0.1,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/davecgh/go-spew,false,= v1.1.1,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/henvic/httpretty,false,= v0.0.6,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/inconshreveable/mousetrap,false,= v1.0.0,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/pretty,true,= v0.2.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/text,true,= v0.1.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/MakeNowJust/heredoc,false,= v1.0.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pkg/errors,false,= v0.8.1,BSD-2-Clause,http://choosealicense.com/licenses/bsd-2-clause/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pmezard/go-difflib,false,= v1.0.0,NOASSERTION,http://choosealicense.com/licenses/other/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/cobra,true,= v1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/pflag,false,= v1.0.5,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/stretchr/testify,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/atomic,true,= v1.9.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/goleak,true,= v1.1.11,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/multierr,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/zap,true,= v1.20.0,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,go.sum,false,true,GO,golang.org/x/net,false,= v0.0.0-20211112202133-69e39bad7dc2,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/check.v1,true,= v1.0.0-20190902080502-41f04d3bba15,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v2,true,= v2.4.0,,
    andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v3,true,= v3.0.0-20210107192922-496545a6307b,,
    andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/
    andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/
    

    Setup

    Like any other gh CLI extension, gh-dependency-report is trivial to install or upgrade and works on most operating systems:

    • Installation

      gh extension install andyfeller/gh-dependency-report

      For more information: gh extension install

    • Upgrade

      gh extension upgrade gh-dependency-report

      For more information: gh extension upgrade