Support pulling dependency graphs from Github (SBOM)
S
Simon Beaulieu
Support pulling from Github's dependency graph https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph which would enable us to do in-depth analysis of all the software dependencies for the repositories we have in Port.
There is already a REST api for it: https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28#export-a-software-bill-of-materials-sbom-for-a-repository
Use cases for having dependencies catalogged in Port
- Track usage of internal packages and how up-to-date consumers are, either through dasboards or scorecards
- Build comprehensive documentation around service dependencies
- Build automations/self-service actions around notification for migrations, deprecations, releases with breaking changes, targeted towards the proper teams instead of everyone
- Detect inefficiencies/antipatterns related to dependencies
- Enforce standards/protection measures related to dependencies (ensure no-one uses package X, ensure everyone uses package Y at least at version A.B.C, etc.)