You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey experts, I need your help.
I am trying to find if there is way to get the list of dependencies (like package name and version), from a private repository in a github organization, currently I am exploring SBOM and manifest files. My requirement is to
have the least amount to access possible just enough to get the SBOM or manifest file(like pom.xml, package.json) without being able to read the content of the repository.
I am also reading it on a regular interval so I need this source to be as updated as possible.
Is there any other way rather than creating another repo, or creating a github action publishing this data in an external api.
Things I have explored : github action, webhooks, graphQL.
I know that github provides fine grain tokens and gives read only permission to content type access. I can fetch SBOM (but the only issue is that it also enables me to read the content of the repository). There is no other permission which has SBOM export access so this is my best option till now.
I would be really thankful if someone could tell me any other service github provide which would be relevant to the tenet. Or could provide a confirmation that no other way is possible.
Fine-grained access control: GitHub provides fine-grained access control through repository-level permissions and personal access tokens. You mentioned that you can fetch the SBOM but it allows you to read the content of the repository. Unfortunately, there is no specific permission that allows access to only the SBOM or manifest file without read access to the repository.
External API or service: One option could be to create a GitHub Action that retrieves the SBOM or manifest file from the repository and publishes the dependency information to an external API or service
Custom solution: If you have specific constraints or requirements, you might need to explore custom solutions. For ex…
Thanks Nirva! Can you suggest some third-party services you mentioned above to start with, it would be really helpful. I have explored SNYK, but I think it only shows vulnerability and not the whole list, are there any other services that provide the complete list of dependencies.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Select Topic Area
Question
Body
Hey experts, I need your help.
I am trying to find if there is way to get the list of dependencies (like package name and version), from a private repository in a github organization, currently I am exploring SBOM and manifest files. My requirement is to
Things I have explored : github action, webhooks, graphQL.
I know that github provides fine grain tokens and gives read only permission to content type access. I can fetch SBOM (but the only issue is that it also enables me to read the content of the repository). There is no other permission which has SBOM export access so this is my best option till now.
I would be really thankful if someone could tell me any other service github provide which would be relevant to the tenet. Or could provide a confirmation that no other way is possible.
Thank you in advance for your time.
Beta Was this translation helpful? Give feedback.
All reactions