Github

I keep a lot of repositories spread across organizations. When I need a local copy of everything (backup, audit, offline work, whatever), I end up writing one-off scripts that are boring, fragile, and always missing the one repo I forgot about. So I wrote a tool to make this boring task repeatable: gitgrab. https://github.com/scottbrown/gitgrab gitgrab does one thing: it grabs every repository from a GitHub organization and puts them in a directory on disk. It talks to the GitHub API, so it sees both public and private repos. When you run it again, it doesn’t re-clone; it updates what you already have. ...

Over the years, GitHub organizations tend to accumulate repositories. Some are actively maintained, others slowly fade into obscurity, and a few become completely forgotten. Without a systematic way to assess repository health across an entire organization, it’s easy to lose track of what’s actively maintained and what’s collecting digital dust. I built Patina to solve this problem. What is Patina? Patina is a command-line tool that scans GitHub organizations to identify and assess repository freshness. The name comes from the surface coating that forms on materials over time—a fitting metaphor for detecting code that’s been left untouched. ...

At work I recently had to show our risk profile with Github vulnerability alerts and display them in Domo. Github’s APIv3 (REST) doesn’t allow you to query the vulnerability alerts, but APIv4 (GraphQL) does. I found the documentation around gathering those results very opaque due to being in Preview status, so here are some examples for pulling out the data you need. Github Vulnerability Alerts can be enabled in the Settings component of a repository. It will scan the dependencies listed in various package managers (requirements.txt, package.json, etc) and build a dependency graph (super cool!). From there, each dependency is checked for CVEs posted on public vulnerability websites. This is useful information but it is difficult to visualize when you have many (in my case, hundreds) of repositories to watch. ...