dependency-management-data is a set of tooling that makes it easier to understand the usage of Open Source and internal dependencies in an organisation, taking data from Renovate, GitHub Dependabot, or Software Bill of Materials (SBOMs) and providing an SQLite database that can be used to query it.
Alongside this base functionality, it’s possible to write “advisories” to flag usage of certain dependencies for i.e. “this internal library has a security vulnerability” or “this Open Source project is no longer maintained”.
As a step further than this, it’s now possible to write “policies”, using Open Policy Agent to provide much more powerful control over usage of dependencies, leveraging the excellent support Rego and OPA has for common operations.
Code & Repos