🔥Let’s Do DevOps: Inventory Dependency Licenses across all Repos in GitHub Org🔥

aka, SBOM-arama

Kyler Middleton
3 min readOct 8, 2024

This blog series focuses on presenting complex DevOps projects as simple and approachable via plain language and lots of pictures. You can do it!

I’ve moved to LetsDoDevOps.com, you can find the article here. This content has a paywall for 1 week, and then will be free starting at 10/15 9a CT. Feedback on the paywall model is welcome!

Hey all!

I was asked by our Legal and Compliance teams to investigate whether all our dependencies for our software was licensed properly for us to use it. And I confidently answered, I have absolutely no idea.

As with any enterprise, we have a process for reviewing dependencies to make sure the licenses and functionality match, but that process has been intermittently enforced in the past, and as big enterprises gobble up small companies via acquisition, we have to do our best to bootstrap all our processes on the new product and team.

Validating that all the licenses they’ve ever integrated into their tools are legally available for us to use can fall by the wayside. However, we’re doing our best to find them so we can replace them with tools that are available to us!

First step, we need to find all of them. And GitHub is super helpful here — their dependabot service relies on finding all the dependencies of a codebase based on analyzing the package manager files…

--

--

Kyler Middleton
Kyler Middleton

Written by Kyler Middleton

DevNetSecOps, DevRel, cloud security chick. I will teach you, it’s unavoidable. She/Her 🏳️‍🌈🏳️‍🌈, INFJ-A, support the EFF!