Scripts and tools to gather information about git repositories.
This repository is a collection of scripts and tools for a given repodiving effort. Repodiving in this context means going through a git repository and gathering relevant information for a specific purpose.
We're a group of civic-minded technologists transforming how the federal government delivers healthcare to the American people.
Establish and maintain guidance, policies, practices, and talent pipelines that advance equity, build trust, and amplify impact across CMS, HHS, and Federal Open Source Ecosystems by working and sharing openly.
A full list of contributors can be found on https://github.com/DSACMS/repodive-tools/graphs/contributors.
We follow GitHub Flow with protected branches and pull request reviews. Development includes automated code analysis, security scanning, and adherence to CMS Open Source Policy guidelines. See CONTRIBUTING.md for more details.
To run locally, please follow the instructions in CONTRIBUTING.md under Buidling the Project and Building Dependencies.
Run SCC on repos:
1. Make sure that scc is installed on your machine
2. Set valid environment variables including GitHub token
3. `./run-scc-on-repos.sh <Directory to store GitHub code>`
Note: The SCC script will clone the repositories in the directory that you specify. If the repository already exists in the directory then it will not download it again. This is useful for if you want to re-use this directory to run the other scripts on it.
Gen Gource logs on repos:
1. Make sure that gource is installed on your machine
2. Set valid environment variables including GitHub token
3. `./gen-gource-logs-on-repos.sh <Directory to store GitHub code`
Note: The gource script will clone the repositories in the directory that you specify. If the repository already exists in the directory then it will not download it again. This is useful for if you want to re-use this directory to run the other scripts on it.
Run contributor resolution (rough):
1. `./run-contrib-resolution.sh <Directory with the GitHub Code already there>`
3. Enter ctrl+d for any empty records that appear
4. `./concat.sh`
5. Look at merged_output.txt and enjoy!
Note: this script assumes that all of the repositories have been cloned already.
A useful feature of GitHub is the search feature that you can find here.
Using the search feature you can search projects that your GitHub account has permission to view and filter the results to your liking.
For example, you can search GitHub for projects that have a specific project as a dependency. This is known as searching for a project's dependants. This is done by
using the path: keyword in order to filter the results that have a specific file in the results. Therefore, if you add the parameter path:package.json to your search
you will search GitHub for Javascript project dependency files and you can search for projects that have a specific Javascript dependency this way.
Here is an example of searching GitHub for projects that use the package @trussworks/react-uswds:
https://github.com/search?q=%40trussworks%2Freact-uswds+path%3Apackage.json+NOT+is%3Afork&type=code
You might also notice that there are some parameters added such as the parameter NOT is:fork which excludes projects that are a fork of other projects. You can
also do additional parameters to further filter the results by categories such as org. To filter by organization you can add org:DSACMS in order to only show
projects that belong to that organization.
To read more about the GitHub search feature from GitHub's official documentation you can get to that here
We adhere to the CMS Open Source Policy. If you have any questions, just shoot us an email.
Submit a vulnerability: Vulnerability reports can be submitted through Bugcrowd. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.
For more information about our Security, Vulnerability, and Responsible Disclosure Policies, see SECURITY.md.
A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of various components used in building software.
In the spirit of Executive Order 14028 - Improving the Nation’s Cyber Security, a SBOM for this repository is provided here: https://github.com/{{ cookiecutter.project_org }}/{{ cookiecutter.project_repo_name }}/network/dependencies.
For more information and resources about SBOMs, visit: https://www.cisa.gov/sbom.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication as indicated in LICENSE.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request or issue, you are agreeing to comply with this waiver of copyright interest.