GitHub Inventory is a local-first AppSec control plane for indie developers and small teams.
This repository is a TypeScript monorepo managed with pnpm workspaces. It will contain:
- a CLI for GitHub ingestion and compliance evaluation
- a Next.js web app for inventory and findings workflows
- shared packages for database access, GitHub integration, module contracts, core types, and policy logic
apps/
cli/
web/
packages/
core/
db/
github/
modules/
policies/
docs/
Install dependencies:
pnpm installStart local Postgres:
docker compose up -d postgresRun Prisma commands:
pnpm db:generate
pnpm db:migrate
pnpm db:studioRun the real repository inventory sync:
GITHUB_TOKEN=ghp_your_token GITHUB_OWNER=your-username-or-org pnpm --filter @github-inventory/cli appsec run repo-inventoryFor personal repositories, set GITHUB_OWNER to your GitHub username. For
organization repositories, set it to the organization login. GITHUB_OWNER_TYPE
can be auto, user, or org; auto tries organization repositories first,
then falls back to user repositories.
Or set GITHUB_TOKEN, GITHUB_OWNER, and optionally GITHUB_OWNER_TYPE in
.env before running:
pnpm --filter @github-inventory/cli appsec run repo-inventoryStop local Postgres:
docker compose downRun workspace checks:
pnpm typecheckpnpm --filter @github-inventory/web dev
- Start the local dev server
pnpm --filter @github-inventory/cli appsec sync scheduled
- Sets up scheduled jobs
pnpm db:studio
- Starts Prisma Studio on a local port
The first milestone is a working skeleton that can:
- start Postgres with Docker Compose
- run Prisma migrations
- run a CLI command
- start a Next.js web app
- share code through local workspace packages
Business logic has not been implemented yet.
- repo-inventory
- branch-protection
- dependabot-alerts
- code-scanning-alerts
- secret-scanning-alerts
- license-inventory
- actions-security
- stale-repo-detection