Overview
DependencyDesk helps organizations understand and document all third-party software dependencies across their GitHub repositories. By automating the discovery and cataloging of dependencies, DependencyDesk streamlines the due diligence process and ensures compliance with licensing requirements.
The Problem DependencyDesk Solves
Modern software applications rely on hundreds or even thousands of third-party libraries, packages, and frameworks. During mergers, acquisitions, or compliance audits, organizations must provide a complete inventory of these dependencies along with their version numbers and licenses. Manually compiling this information across multiple repositories is time-consuming, error-prone, and often incomplete.
While command-line tools exist for analyzing individual repositories, they cannot scale to analyze an entire organization's GitHub presence automatically. DependencyDesk bridges this gap by providing an automated, organization-wide solution.
How DependencyDesk Works
DependencyDesk integrates with your GitHub organization through a secure GitHub App. Once authorized, it can access the repositories you specify and perform the following steps:
1. Repository Connection
You install the DependencyDesk GitHub App on your organization and select which repositories should be analyzed. You maintain complete control over access permissions.
2. Dependency Analysis
DependencyDesk clones the selected repositories and analyzes their dependency manifest files. It supports multiple programming languages and package managers including JavaScript/Node.js (npm), PHP (Composer), Ruby (Bundler), and Python (pip). Importantly, DependencyDesk only reads manifest files—it never executes any code or runs package manager install commands, ensuring your intellectual property and security remain protected.
3. Report Generation
After analysis, DependencyDesk generates comprehensive reports listing every dependency, its version number, and license information. Reports can be viewed in an intuitive web interface or exported as CSV files for further analysis or sharing with stakeholders.
4. Cache Cleanup
Once analysis is complete, you are prompted to delete the cached repository files from DependencyDesk's servers. This ensures no source code is retained long-term, addressing intellectual property concerns.
Supported Technologies
DependencyDesk currently supports the following programming languages and package managers:
- JavaScript/Node.js: Analyzes package.json and package-lock.json files
- PHP: Parses composer.json and composer.lock files
- Ruby: Reads Gemfile and Gemfile.lock files
- Python: Analyzes requirements.txt, Pipfile, and pyproject.toml files
DependencyDesk also detects the presence of other package managers such as Go, Rust, Java, and .NET, even if it doesn't fully parse their dependencies yet.
Use Cases
Mergers and Acquisitions Due Diligence
During M&A transactions, the acquiring company needs to understand all third-party dependencies, their licenses, and potential security risks. DependencyDesk provides this information quickly and comprehensively, accelerating the due diligence process.
License Compliance Audits
Organizations must ensure their use of third-party software complies with license requirements. DependencyDesk helps identify all licenses in use across your codebase, enabling compliance teams to spot potential issues.
Security Assessments
Understanding which dependencies your organization relies on is the first step in assessing security vulnerabilities. DependencyDesk provides the comprehensive inventory needed to cross-reference against vulnerability databases.
Technical Documentation
Keep stakeholders informed about your technology stack. DependencyDesk reports serve as living documentation of third-party dependencies across your organization.
Security and Privacy
DependencyDesk takes security seriously. The GitHub App is configured with read-only permissions and can only access repositories you explicitly authorize. No code is ever executed—only static manifest files are read. After analysis, you control when cached repositories are deleted. DependencyDesk has no ability to modify your repositories or access unauthorized data.
Getting Started
To start using DependencyDesk, simply sign in with your GitHub account, install the DependencyDesk GitHub App on your organization, select the repositories to analyze, and run your first dependency analysis. Within minutes, you'll have a comprehensive report of all dependencies across your selected repositories.
Contact Us
Contact the DependencyDesk founder Jason Gilmore with your questions at [email protected].