A gh extension to generate report of repository manifests and dependencies discovered through GitHub's software supply chain capabilities.
gh extension install andyfeller/gh-dependency-reportgh dependency-report $(whoami)- Profit! 💰 💸 🤑 💸 💰
Pulling manifests and dependencies including license info around repositories from GitHub's GraphQL API. This is only works for repositories that have enabled the dependency graph feature.
The result is a CSV that companies and individuals can use to attest to software licenses in use, making the jobs of platform engineering, legal, security, and auditors easier.
$ gh dependency-report --help
Generate report of repository manifests and dependencies discovered through the dependency graph
Usage:
gh-dependency-report [flags] owner [repo ...]
Flags:
-d, --debug Whether to debug logging
-e, --exclude strings Repositories to exclude from report
-h, --help help for gh-dependency-report
-o, --output-file string Name of file to write CSV report (default "report-20220216081518.csv")The resulting CSV file contains the most common information used for these purposes:
Owner- Login name of the organization or user that owns the repository
-
Examples:
andyfellergithubcli
Repo- Name of the repository containing the manifest; does not duplicate owner information
-
Examples:
gh-dependency-report(forandyfeller/gh-dependency-report)codeql(forgithub/codeql)cli(forcli/cli)
Manifest- Fully qualified manifest filename
-
Examples:
go.mod.github/workflows/release.ymlpackage.json Exceeds Max Size- Is the manifest too big to parse?
Parseable- Were we able to parse the manifest?
Package Manager- The dependency package manager.
-
Examples:
ACTIONSCOMPOSERGOMAVENNPMNUGETPIPRUBYGEMS Dependency- The name of the package in the canonical form used by the package manager. This may differ from the original textual form (see packageLabel), for example in a package manager that uses case-insensitive comparisons.
-
Examples:
actions/checkout(actions)github.com/spf13/cobra(go)@actions/core(npm) Has Dependencies?- Does the dependency itself have dependencies?
Requirements- The dependency version requirements.
License- Short identifier specified by https://spdx.org/licenses.
License Url- URL to the license on https://choosealicense.com.
The following is an example of a report generated around my own personal repositories:
Example report on andyfeller
Owner,Repo,Manifest,Exceeds Max Size,Parseable,Package Manager,Dependency,Has Dependencies?,Requirements,License,License Url
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/go-gh,true,= 0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/safeexec,false,= 1.0.0,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/cli/shurcooL-graphql,true,= 0.0.1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/henvic/httpretty,false,= 0.0.6,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/inconshreveable/mousetrap,false,= 1.0.0,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/cobra,true,= 1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/
andyfeller,gh-dependency-report,go.mod,false,true,GO,github.com/spf13/pflag,false,= 1.0.5,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/atomic,true,= 1.9.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/multierr,true,= 1.7.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,go.uber.org/zap,true,= 1.20.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.mod,false,true,GO,golang.org/x/net,false,= 0.0.0-20211112202133-69e39bad7dc2,,
andyfeller,gh-dependency-report,go.mod,false,true,GO,gopkg.in/yaml.v3,true,= 3.0.0-20210107192922-496545a6307b,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/benbjohnson/clock,false,= v1.1.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/go-gh,true,= v0.0.2-0.20211206104242-8180ab76d996,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/safeexec,false,= v1.0.0,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/cli/shurcooL-graphql,true,= v0.0.1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/davecgh/go-spew,false,= v1.1.1,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/henvic/httpretty,false,= v0.0.6,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/inconshreveable/mousetrap,false,= v1.0.0,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/pretty,true,= v0.2.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/kr/text,true,= v0.1.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/MakeNowJust/heredoc,false,= v1.0.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pkg/errors,false,= v0.8.1,BSD-2-Clause,http://choosealicense.com/licenses/bsd-2-clause/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/pmezard/go-difflib,false,= v1.0.0,NOASSERTION,http://choosealicense.com/licenses/other/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/cobra,true,= v1.3.0,Apache-2.0,http://choosealicense.com/licenses/apache-2.0/
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/spf13/pflag,false,= v1.0.5,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,github.com/stretchr/testify,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/atomic,true,= v1.9.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/goleak,true,= v1.1.11,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/multierr,true,= v1.7.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,go.uber.org/zap,true,= v1.20.0,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,go.sum,false,true,GO,golang.org/x/net,false,= v0.0.0-20211112202133-69e39bad7dc2,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/check.v1,true,= v1.0.0-20190902080502-41f04d3bba15,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v2,true,= v2.4.0,,
andyfeller,gh-dependency-report,go.sum,false,true,GO,gopkg.in/yaml.v3,true,= v3.0.0-20210107192922-496545a6307b,,
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,actions/checkout,false,= 2,MIT,http://choosealicense.com/licenses/mit/
andyfeller,gh-dependency-report,.github/workflows/release.yml,false,true,ACTIONS,cli/gh-extension-precompile,false,= 1,MIT,http://choosealicense.com/licenses/mit/
Like any other gh CLI extension, gh-dependency-report is trivial to install or upgrade and works on most operating systems:
-
Installation
gh extension install andyfeller/gh-dependency-report
For more information:
gh extension install -
Upgrade
gh extension upgrade gh-dependency-report
For more information:
gh extension upgrade