Connect your GitHub organization and instantly analyze all your repositories' dependencies. Get comprehensive reports on third-party dependencies, versions, and licenses across your entire codebase.
JavaScript, PHP, Ruby, and Python. We parse package.json, composer.json, Gemfile, and requirements.txt.
Identify licenses across all dependencies. Ensure compliance with your organization's policies.
Download comprehensive CSV reports. Share with your team or import into other tools.
Delete cached repositories after analysis. Your data stays under your control.
Everything you need to know about DependencyDesk
During the SaaS due diligence process, the seller typically must disclose all third-party software dependencies, including their version numbers and licenses. While there are command-line tools that can help with this, they cannot be used to analyze all dependencies in an organization's GitHub repositories. DependencyDesk is a SaaS tool that automatically analyzes all dependencies in an organization's GitHub repositories, providing a comprehensive report of all dependencies, their version numbers, and their licenses.
DependencyDesk currently supports dependency analysis for JavaScript/Node.js (package.json), PHP (composer.json), Ruby (Gemfile), and Python (requirements.txt, Pipfile, pyproject.toml). We also detect the presence of other package managers like Go, Rust, Java, and .NET, even if we don't fully parse them yet.
DependencyDesk uses a GitHub App that you install on your organization. You have full control over which repositories the app can access—you can grant access to all repositories or select specific ones. We only request read access to repository contents and metadata. Immediately following the analysis and report generation, you are proactively prompted to delete the cached repositories to ensure no intellectual property is retained.
Your code is completely safe. We never execute any package manager commands (like npm install, composer install, pip install, etc.) inside your repositories. We only read and parse the static manifest files (package.json, composer.lock, etc.) to extract dependency information. This eliminates any risk of malicious install scripts running. Furthermore, DependencyDesk only has read-access to your repositories and GitHub metadata; it is impossible for DependencyDesk to edit any of your repositories or data.
Repository files are cloned temporarily for analysis and you can delete them immediately after analysis is complete. We encourage users to clean up cached repositories once the dependency report is generated. Your dependency data and reports remain available until you choose to delete them.
Yes! You can download comprehensive CSV reports containing all your dependencies, including package names, versions, licenses, and which repositories use them. These reports can be shared with your team, imported into spreadsheets, or used for compliance audits.
We extract license information directly from your dependency manifest files (like the "license" field in package.json or composer.json). For packages that don't specify a license in the manifest, we mark them as "Unknown." We recommend manually verifying licenses for critical compliance requirements.
DependencyDesk is not SOC2 compliant.