Skip to content

netapp-suraj/dephunt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
internal
internal
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

dephunt

A CLI tool for indexing and searching dependencies from GitHub and Bitbucket Server repositories. Built for supply-chain incident response — quickly find which repos use a specific package or version across your entire organization.

Features

  • Multi-source: GitHub (cloud) and Bitbucket Server (on-prem)
  • Multi-language: Node.js and Python ecosystems
  • Fast search: FTS5 full-text search with exact, substring, and fuzzy matching
  • Org-wide sync: Index all repos across all orgs/projects in one command
  • Concurrent: Parallel syncing with configurable worker pool
  • Offline-first: Local SQLite database — search works without network access
  • Secure auth: Tokens stored in OS credential store (Windows Credential Manager / macOS Keychain / Linux Secret Service)
  • Export: CSV and interactive HTML reports

Supported Manifests

Ecosystem Manifests Lockfiles
Node.js package.json package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock, npm-shrinkwrap.json
Python pyproject.toml, requirements.txt, setup.cfg poetry.lock, Pipfile.lock, uv.lock

Installation

Requires Go 1.22+.

go install github.com/surajg/dephunt@latest

Or build from source:

git clone https://github.com/surajg/dephunt.git
cd dephunt
go build -o dephunt .

Cross-platform builds

# Windows (amd64)
GOOS=windows GOARCH=amd64 go build -o dephunt.exe .

# Windows (arm64)
GOOS=windows GOARCH=arm64 go build -o dephunt.exe .

# macOS (Apple Silicon)
GOOS=darwin GOARCH=arm64 go build -o dephunt .

# macOS (Intel)
GOOS=darwin GOARCH=amd64 go build -o dephunt .

# Linux (amd64)
GOOS=linux GOARCH=amd64 go build -o dephunt .

# Linux (arm64)
GOOS=linux GOARCH=arm64 go build -o dephunt .

Or build all platforms at once:

# PowerShell
foreach ($p in @("windows/amd64","darwin/arm64","darwin/amd64","linux/amd64","linux/arm64")) {
    $os,$arch = $p -split "/"
    $ext = if ($os -eq "windows") { ".exe" } else { "" }
    $env:GOOS=$os; $env:GOARCH=$arch
    go build -o "dist/dephunt-$os-$arch$ext" .
}

# Bash
for p in windows/amd64 darwin/arm64 darwin/amd64 linux/amd64 linux/arm64; do
    GOOS=${p%/*} GOARCH=${p#*/}
    EXT=""; [ "$GOOS" = "windows" ] && EXT=".exe"
    GOOS=$GOOS GOARCH=$GOARCH go build -o "dist/dephunt-$GOOS-$GOARCH$EXT" .
done

Quick Start

# 1. Store your token securely
dephunt auth login --github

# 2. Sync a single repo
dephunt sync facebook/react

# 3. Sync all repos in your GitHub orgs
dephunt sync-all

# 4. Search for a package
dephunt search lodash

# 5. Search for a specific vulnerable version
dephunt search jsonwebtoken --version 8.5.1

Authentication

Tokens are resolved in this order (highest priority first):

  1. --token / --bb-token CLI flag
  2. GITHUB_TOKEN / BITBUCKET_TOKEN environment variable
  3. OS credential store (set via dephunt auth login)
# Store tokens in the OS credential store
dephunt auth login                # prompts for both GitHub and Bitbucket
dephunt auth login --github       # GitHub only
dephunt auth login --bitbucket    # Bitbucket only

# Check what's configured
dephunt auth status

# Remove stored tokens
dephunt auth logout

Commands

sync

Index dependencies from a single repository.

# GitHub (default)
dephunt sync owner/repo
dephunt sync owner/repo --ref develop

# Bitbucket Server
dephunt sync PROJECT_KEY/repo-slug --source bb

# Force re-sync even if already up to date
dephunt sync owner/repo --force

sync-all

Discover and sync all repositories across all accessible organizations (GitHub) and projects (Bitbucket Server).

# Both GitHub and Bitbucket (default)
dephunt sync-all

# GitHub only
dephunt sync-all --source gh
dephunt sync-all --include-user    # also sync your personal repos

# Bitbucket Server only
dephunt sync-all --source bb

# Tuning
dephunt sync-all --concurrency 20  # parallel workers (default: 10)

search

Search for packages across all indexed repos.

dephunt search react
dephunt search react --version 18.3.1
dephunt search lodash --repo NetApp/my-app
dephunt search express --dep-type prod --direct-only
dephunt search requests --lang py          # Python only
dephunt search react --lang js             # Node.js only
dephunt search jsonwebtoken --exact        # exact name match
dephunt search reqeusts --fuzzy            # typo-tolerant

# Export results
dephunt search react --output results.csv
dephunt search react --output report.html  # interactive HTML with filtering/sorting

Search strategy (cascading):

  1. Exact match on package name
  2. Substring match if no exact results
  3. Fuzzy match (Levenshtein distance) as fallback

show

Show detailed information about a specific package across all repos.

dephunt show --package lodash
dephunt show --package lodash --repo NetApp/my-app

history

Show when a package first and last appeared, including commit SHAs.

dephunt history --package jsonwebtoken
dephunt history --package express --repo NetApp/my-app --ref main

repos

List all indexed repositories.

dephunt repos

unsync

Remove repositories from the index.

# Remove a single repo
dephunt unsync owner/repo

# Remove all repos in an org
dephunt unsync --org NetApp

# Bitbucket Server
dephunt unsync PROJECT_KEY/repo-slug --source bb
dephunt unsync --org PROJECT_KEY --source bb

Search Output

Results are tagged with source and displayed with clickable file URLs:

  lodash                  4.17.21     prod     direct     [GH] NetApp/my-app@main
    -> https://github.com/NetApp/my-app/blob/main/package-lock.json#L5432
  lodash                  4.17.21     prod     transitive [BB] DSS-BB/cvo-ui@master
    -> https://bitbucket.ngage.netapp.com/projects/DSS-BB/repos/cvo-ui/browse/yarn.lock?at=master#8901

Export Formats

CSV — all fields including URLs, suitable for spreadsheets and further processing.

HTML — dark-themed interactive report with:

  • Sortable columns (click any header)
  • Live text filtering
  • Dropdown filters for source, dependency type, and direct/transitive
  • Color-coded tags
  • Clickable links to source files with line numbers

Database

dephunt uses a local SQLite database stored at ~/.dephunt/dephunt.db. Override with --db:

dephunt search react --db /path/to/custom.db

The schema auto-migrates on startup. WAL mode is enabled for concurrent read performance.

Global Flags

Flag Environment Variable Description
--token GITHUB_TOKEN GitHub personal access token
--bb-token BITBUCKET_TOKEN Bitbucket Server personal access token
--bb-url Bitbucket Server base URL
--db Path to SQLite database

GitHub Actions

Two workflows are included for automated syncing and on-demand search.

Setup

Add these secrets to your repository (Settings → Secrets and variables → Actions):

Secret Required Description
DEPHUNT_GITHUB_TOKEN Recommended GitHub PAT with repo + read:org scope. Falls back to the default GITHUB_TOKEN
DEPHUNT_BITBUCKET_TOKEN Optional Bitbucket Server PAT. BB sync is skipped if not set

Sync Database

Workflow: .github/workflows/sync.yml

Keeps the dependency database up to date. Runs daily at 02:00 UTC and can be triggered manually.

Actions → "Sync Database" → Run workflow
Input Default Description
source all all, gh, or bb
force false Re-sync repos even if already at the same commit
concurrency 20 Number of parallel workers
repo Sync a single repo instead of all (e.g. owner/repo)

The database is saved as a workflow artifact (dephunt-db) and restored on subsequent runs for incremental updates.

Dependency Search

Workflow: .github/workflows/search.yml

Run an on-demand search against the latest synced database.

Actions → "Dependency Search" → Run workflow
Input Default Description
query (required) Package name to search for
version Filter by exact version
lang js or py
dep-type prod, dev, peer, optional
direct-only false Show only direct dependencies
export-format html html, csv, or both

Results are printed in the Job Summary and exported files are uploaded as downloadable artifacts.

Typical workflow

# 1. Push the repo to GitHub

# 2. Add your PAT as a secret
#    Settings → Secrets → New repository secret → DEPHUNT_GITHUB_TOKEN

# 3. Run the Sync workflow to build the initial database
#    Actions → "Sync Database" → Run workflow → source: all

# 4. Search for a vulnerable package
#    Actions → "Dependency Search" → Run workflow → query: jsonwebtoken, version: 8.5.1

# 5. Download the HTML report from the workflow artifacts

Limitations

  • Bitbucket Server sync is not available in GitHub Actions. Bitbucket Server is on-prem and not reachable from GitHub's public runners. BB sync is automatically skipped in CI. To enable it you need either:
    • A self-hosted runner on your corporate network
    • A VPN/tunnel step (e.g., Tailscale, WireGuard) before the sync step
  • BB sync works normally when running dephunt locally: dephunt sync-all --source bb

About

A CLI tool for indexing and searching dependencies from GitHub and Bitbucket Server repositories. Built for supply-chain incident response — quickly find which repos use a specific package or version across your version control systems.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

v0.0.1 Latest
Apr 13, 2026

Packages

 
 
 

Contributors

Languages