A GitHub Actions-powered tool for comprehensive dependency analysis using OpenSSF Scorecard and AI models to evaluate the health, security, and sustainability of npm dependencies.
- Automated security scoring of all dependencies
- Comprehensive vulnerability assessment
- Best practices evaluation
- SARIF report generation for GitHub Security tab integration
- Multiple analysis modes (requires OpenAI API key):
- Comprehensive: Full dependency health assessment
- Security-focused: Deep security vulnerability analysis
- Maintainer burnout: Sustainability and bus factor evaluation
- Community health: Engagement and governance analysis
- License compliance: Legal risk assessment
- Falls back to rule-based analysis when no API key is configured
- Consolidated scorecard reports
- Risk matrix generation
- Actionable insights and recommendations
- GitHub Issues integration for tracking
- Markdown reports for easy reading
npm installFor AI-powered analysis, add this secret to your repository:
OPENAI_API_KEY: OpenAI API key for GPT-4 analysis (optional, uses rule-based analysis if not provided)
The workflows are configured to run:
- Scorecard Analysis: Weekly on Mondays at 2 AM UTC
- AI Analysis: Weekly on Wednesdays at 4 AM UTC
- Manual Trigger: Both workflows support
workflow_dispatchfor on-demand runs
- Go to Actions tab in your GitHub repository
- Select either "OpenSSF Scorecard Analysis" or "AI-Powered Dependency Analysis"
- Click "Run workflow"
- For AI analysis, select the analysis type (comprehensive, security-focused, etc.)
Extract dependency information:
npm run extract-depsAnalyze repositories (requires repo-data directory):
npm run analyze- Extracts all npm dependencies
- Identifies GitHub repositories
- Runs OpenSSF Scorecard on each repository
- Generates consolidated security reports
- Creates GitHub issues with findings
- Collects comprehensive GitHub metrics:
- Repository statistics
- Contributor patterns
- Issue/PR activity
- Community health indicators
- Release patterns
- Runs AI analysis using selected prompts
- Generates risk matrices
- Provides actionable insights
- Creates or updates tracking issues
extract-dependencies.js: Extracts npm dependencies and finds GitHub reposprepare-analysis-context.js: Processes repository data for AI analysis
consolidate-scorecard-reports.js: Merges individual scorecard resultsgenerate-markdown-report.js: Creates readable scorecard reportsformat-ai-report.js: Formats AI analysis resultsgenerate-risk-matrix.js: Creates risk assessment matricesgenerate-insights.js: Produces actionable recommendations
The analysis-prompts/ directory contains specialized prompts for different analysis types:
comprehensive.md: Full dependency health assessmentsecurity-focused.md: Deep security analysismaintainer-burnout.md: Sustainability evaluationcommunity-health.md: Community engagement analysislicense-compliance.md: Legal risk assessment
Both workflows generate artifacts containing:
- Raw analysis data (JSON)
- Formatted reports (Markdown)
- Risk matrices
- Actionable insights
Access artifacts through:
- Go to Actions tab
- Click on a completed workflow run
- Scroll to Artifacts section
- Download desired reports
Simply update package.json with your actual project dependencies. The workflows will automatically analyze all dependencies on the next run.
Create new prompts in analysis-prompts/ directory following the existing format. Update the workflow to include your custom analysis type.
Modify the cron expressions in the workflow files to adjust the analysis schedule.
- The workflows use
GITHUB_TOKENwith minimal required permissions - Sensitive data is not exposed in logs or artifacts
- All API calls use secure authentication
- Consider private repositories for sensitive dependency analysis
- Only analyzes packages with GitHub repositories
- Rate limits may affect large dependency sets
- AI analysis quality depends on available data
- Some metrics require repository admin access
Feel free to submit issues and enhancement requests!
MIT