A GH CLI extension for enabling Dependabot and viewing Dependabot alerts.
The extension requires you to be running Python 3 and also to have click and pyrate-limiter installed.
To install these dependencies you can run:
python3 -m pip install click pyrate-limiterTo install the extension you can run:
gh extension install therealkujo/gh-dependabotClick is a really useful tool that helps build command line interfaces. It is highly configurable and helps to automagically generate all the interfaces based on my configuration. I have been using it for all my CLI tools to help reduce the amount of code I need to maintain just to have an interface and I can focus on the actual code itself.
Since the GitHub API can be very aggressive in the secondary rate limit, I decided to try and do some smoothing to space out all of my API calls to avoid being hit with the secondary rate limit. According to the best practices guidelines it's recommended to limit your requests to one per second when making a large number of requests. I decided to be conservative and limit my calls to one request per second regardless of the total number.
To achieve this, I used this python libary called Pyrate Limiter which helps you limit calls to specific funtions or code blocks by leveraging the leaky bucket algorithm. I decorated call_gh_api so that the function can only be called a maximum of 1 time per second to help slow down the API requests I send to GitHub. Hopefully I can avoid the secondary rate limit and only need to worry about the primary one. My bucket will eternally grow to ensure that all calls get executed but the more calls we make, the longer it will take.
Exports all the dependabot alerts for a given repo(s) to a csv file
Usage: gh dependabot export [OPTIONS] [REPO]...
Pulls all dependabot alerts and exports them to a CSV file
REPO is space separated in the OWNER/NAME format
Options:
-o, --output TEXT Path to the output file
--help Show this message and exit.For example you can run gh dependabot export -o alerts.csv github/foo to export all dependabot alerts from the github/foo repository.
If you want to export multiple repos, you can feed in a space separated list of repos
gh dependabot export -o alerts.csv github/foo github/bar some/hello-worldAll the repos will be combined into one unified csv report but you can filter by repo when opening the file in something like Microsoft Excel
Enables dependabot features on a given org or repo
Usage: gh dependabot enable [OPTIONS] [NAMES]...
Enables dependabot features for an organization or repo
NAME is space separated in the OWNER/NAME format or just ORGANIZATION
Options:
-a, --alerts Enable dependabot alerts
-s, --security Enable dependabot security updates
-o, --organization Enable dependabot at the organization level
--help Show this message and exit.You will need to specify with the flags which dependabot feature you would like to enable.
If you would like to bulk enable dependabot alerts on multiple repos, you can give it a space separated list of repos
gh dependabot enable -a github/foo github/bar some/hello-worldIf you would like to bulk enable dependabot alerts on multiple orgs, you can give it a space separated list of orgs
gh dependabot enable -ao foo barIf you would like to bulk enable dependabot alerts for a subset of repositories based on whether they include one or more languages, you can use a combination or gh repo list, jq, and xargs to achieve this. Just replace YOUR_ORGANIZATION with your organization name and YOUR_LIMIT with the maximum number of repos you would like to target. The example below enables dependabot alerts for repositories in an organization that include either JavaScript or TypeScript.
gh repo list YOUR_ORGANIZATION --limit YOUR_LIMIT \
--json nameWithOwner,languages \
--jq \
'.[] | (.languages) = [.languages[].node.name] |
select(.languages | any(. == "JavaScript" or . == "TypeScript"))' | jq 'del(.languages)' | jq -r '.nameWithOwner' | xargs gh dependabot enable -aIf you want to run the unit tests, you will need to clone this repo and just run ./gh-dependabot_test.py
If you would like to view the test coverage you can run python -m coverage run ./gh-dependabot_test.py
To view test coverage results, you can run python -m coverage report