Documentation
CI/CD

CI/CD

git-pkgs works well in CI pipelines for dependency analysis, vulnerability scanning, and automated updates.

GitHub Actions

Show dependency changes in PRs 

name: Dependencies
on: pull_request

jobs:
  diff:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install git-pkgs
        run: |
          curl -sL https://github.com/git-pkgs/git-pkgs/releases/latest/download/git-pkgs-linux-amd64 -o git-pkgs
          chmod +x git-pkgs

      - name: Show dependency changes
        run: ./git-pkgs diff --from=origin/${{ github.base_ref }} --to=HEAD --stateless

Vulnerability scanning with SARIF

Upload results to GitHub Security tab:

name: Security
on:
  push:
    branches: [main]
  pull_request:

jobs:
  vulns:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install git-pkgs
        run: |
          curl -sL https://github.com/git-pkgs/git-pkgs/releases/latest/download/git-pkgs-linux-amd64 -o git-pkgs
          chmod +x git-pkgs

      - name: Scan for vulnerabilities
        run: ./git-pkgs vulns --stateless -f sarif > results.sarif

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Block PRs with high severity vulnerabilities 

name: Security Gate
on: pull_request

jobs:
  vulns:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install git-pkgs
        run: |
          curl -sL https://github.com/git-pkgs/git-pkgs/releases/latest/download/git-pkgs-linux-amd64 -o git-pkgs
          chmod +x git-pkgs

      - name: Check for high/critical vulnerabilities
        run: ./git-pkgs vulns --stateless -s high
        # Exits non-zero if vulnerabilities found

License compliance 

name: License Check
on: pull_request

jobs:
  licenses:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install git-pkgs
        run: |
          curl -sL https://github.com/git-pkgs/git-pkgs/releases/latest/download/git-pkgs-linux-amd64 -o git-pkgs
          chmod +x git-pkgs

      - name: Check licenses
        run: ./git-pkgs licenses --stateless --allow=MIT,Apache-2.0,BSD-2-Clause,BSD-3-Clause,ISC
        # Exits non-zero if disallowed licenses found

Generate SBOM on release 

name: Release
on:
  release:
    types: [published]

jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install git-pkgs
        run: |
          curl -sL https://github.com/git-pkgs/git-pkgs/releases/latest/download/git-pkgs-linux-amd64 -o git-pkgs
          chmod +x git-pkgs

      - name: Generate CycloneDX SBOM
        run: ./git-pkgs sbom --stateless --name=${{ github.repository }} > sbom.json

      - name: Upload SBOM to release
        uses: softprops/action-gh-release@v1
        with:
          files: sbom.json

GitLab CI

Dependency diff in merge requests 

dependency-diff:
  stage: test
  script:
    - curl -sL https://github.com/git-pkgs/git-pkgs/releases/latest/download/git-pkgs-linux-amd64 -o git-pkgs
    - chmod +x git-pkgs
    - ./git-pkgs diff --from=origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --to=HEAD --stateless
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Stateless mode

Most commands support --stateless to skip the database and parse manifests directly. This is faster in CI where you don’t need historical context:

git pkgs diff main..HEAD --stateless
git pkgs vulns --stateless
git pkgs licenses --stateless
git pkgs sbom --stateless

Exit codes

CodeMeaning
0Success
1Error or findings (vulns found, license violations, etc.)

Commands that find issues exit non-zero, making them suitable as quality gates.

IntegritySBOM