SDK, CLI, UI, Excel reports, and scanner-ready targets for application inventory across Azure DevOps and GitHub Enterprise
Project description
Application Inventory Service
Application Inventory Service discovers software assets across Azure DevOps and GitHub Enterprise without cloning repositories. It identifies mobile apps, web apps, API services, microservices, middleware, serverless workloads, infrastructure code, AI-enabled apps, and ML-enabled apps, then emits reports and scanner-ready target manifests.
The project is published as application-inventory-service. The original appsec-*, ado-mobile-scanner, and mobile-app-inventory-tracer commands remain available as compatibility aliases.
What It Does
- Scans one or more Azure DevOps organizations, each with its own PAT.
- Scans GitHub Enterprise owners and repositories.
- Pulls Azure DevOps projects and GitHub repositories into the UI for targeted scans.
- Scans default branches, with production-like fallback branch resolution when no default branch exists.
- Captures inventory name, version, type, language, mobile identifiers, contributors, last activity, and evidence.
- Optionally validates detected mobile identifiers against Apple App Store and Google Play.
- Writes XLSX inventory reports, Semgrep target lists, and SonarQube project manifests labeled by selected application type.
- Streams results into a normalized PostgreSQL schema, scoped by signed-in user when run from the UI.
Documentation
- Application Intent
- Security Baseline
- Code Reference
- AWS Deployment Guide
- Azure Implementation Guide
- Architecture
- Blog Post
- PyPI Release Management
- SBOM Summary
- CycloneDX SBOM
Install
python -m pip install application-inventory-service
application-inventory-service --help
application-inventory-service-ui --help
For local development:
git clone https://github.com/h0p3sf4ll/application-inventory-service.git
cd application-inventory-service
python3 -m venv .venv
source .venv/bin/activate
python -m pip install -r requirements.txt
python -m pip install -e .
Quick Start: UI
APPLICATION_INVENTORY_SERVICE_TEST_LOGIN_ENABLED=true \
application-inventory-service-ui \
--host 127.0.0.1 \
--port 48731 \
--reports-dir reports
Open http://127.0.0.1:48731.
Use the test login only for local development. For shared environments, configure GitHub SSO or Google SSO and disable the test login.
Quick Start: Docker
mkdir -p reports
cp .env.example .env
docker run --rm \
-p 48731:48731 \
--env-file .env \
-v "$PWD/reports:/reports" \
h0p3sf4ll/application-inventory-service:1.6.4 \
ui \
--host 0.0.0.0 \
--port 48731 \
--reports-dir /reports
Build locally when you need to test unpublished changes:
docker build -t application-inventory-service:local .
Azure DevOps
Scan one organization:
export ADO_PAT="your-token"
application-inventory-service \
--provider azure-devops \
--org FabrikamCloud \
--out-dir reports
Scan selected projects:
application-inventory-service \
--provider azure-devops \
--org FabrikamCloud \
--project Go_To_Market \
--project Payments \
--out-dir reports
Scan multiple organizations with separate PATs:
application-inventory-service \
--ado-org-pat "FabrikamCloud=$FABRIKAM_PAT" \
--ado-org-pat "ContosoApps=$CONTOSO_PAT" \
--target-filter "FabrikamCloud=Go_To_Market" \
--target-filter "ContosoApps=Payments" \
--out-dir reports
GitHub Enterprise
export GITHUB_TOKEN="your-token"
application-inventory-service \
--provider github-enterprise \
--base-url https://github.fabrikam.example/api/v3 \
--org FabrikamCloud \
--repo payments-api \
--out-dir reports
Omit --repo to scan all accessible repositories for the owner. Repeat --repo for a selected repository set.
PostgreSQL
PostgreSQL sync is enabled by default in the UI. For CLI scans:
export APPLICATION_INVENTORY_POSTGRES_DSN="postgresql://postgres:postgres@localhost:5432/postgres"
application-inventory-service \
--provider azure-devops \
--org FabrikamCloud \
--postgres-schema application_inventory \
--postgres-table application_inventory_assets \
--out-dir reports
Local development database:
docker run --name application-inventory-postgres \
-e POSTGRES_USER=postgres \
-e POSTGRES_PASSWORD=postgres \
-e POSTGRES_DB=postgres \
-p 5432:5432 \
-d postgres:16-alpine
Environment Variables
| Variable | Purpose |
|---|---|
APPLICATION_INVENTORY_SERVICE_UI_HOST |
UI bind host |
APPLICATION_INVENTORY_SERVICE_UI_PORT |
UI bind port |
APPLICATION_INVENTORY_SERVICE_REPORTS_DIR |
UI report/state directory |
APPLICATION_INVENTORY_SERVICE_PUBLIC_URL |
Public HTTPS base URL used for OAuth callbacks |
APPLICATION_INVENTORY_SERVICE_COOKIE_SECURE |
Adds Secure cookies and HSTS when set to true |
APPLICATION_INVENTORY_SERVICE_ALLOWED_GITHUB_HOSTS |
Comma-separated GitHub Enterprise host allowlist |
APPLICATION_INVENTORY_SERVICE_ALLOW_INSECURE_PROVIDER_URLS |
Local-only escape hatch for HTTP provider URLs |
APPLICATION_INVENTORY_SERVICE_MAX_JSON_BODY_BYTES |
Maximum UI JSON request size |
APPLICATION_INVENTORY_SERVICE_GITHUB_CLIENT_ID |
GitHub OAuth client ID |
APPLICATION_INVENTORY_SERVICE_GITHUB_CLIENT_SECRET |
GitHub OAuth client secret |
APPLICATION_INVENTORY_SERVICE_GOOGLE_CLIENT_ID |
Google OAuth client ID |
APPLICATION_INVENTORY_SERVICE_GOOGLE_CLIENT_SECRET |
Google OAuth client secret |
APPLICATION_INVENTORY_SERVICE_SECRET_KEY |
Fernet key for encrypted token storage |
APPLICATION_INVENTORY_SERVICE_STATE_DIR |
Secure state directory |
APPLICATION_INVENTORY_ADO_ORG_PATS |
JSON or ORG=PAT list for Azure DevOps multi-org scans |
APPLICATION_INVENTORY_TARGET_FILTERS |
JSON or repeated [ORG=]PROJECT_OR_REPO filters |
APPLICATION_INVENTORY_POSTGRES_DSN |
PostgreSQL DSN |
APPLICATION_INVENTORY_POSTGRES_SCHEMA |
PostgreSQL schema |
APPLICATION_INVENTORY_POSTGRES_TABLE |
Flat compatibility table |
APPLICATION_INVENTORY_ADO_REQUESTS_PER_SECOND |
Azure DevOps request pace per scanner process; defaults to 6 |
APPLICATION_INVENTORY_ADO_MAX_RETRIES |
Azure DevOps retry count for throttled or transient reads; defaults to 8 |
APPLICATION_INVENTORY_ADO_POOL_SIZE |
Azure DevOps per-thread connection pool size; defaults to 4 |
APPLICATION_INVENTORY_ADO_LOW_REMAINING_BACKOFF_SECONDS |
Extra pause when Azure DevOps rate-limit remaining reaches zero; defaults to 2 |
Legacy APPSEC_INVENTORY_* and APPSEC_INVENTORY_SERVICE_* variables remain supported.
Outputs
With the default prefix and no application type filter, the service writes:
application_inventory_service_all_types.xlsxapplication_inventory_service_all_types_semgrep_targets.txtapplication_inventory_service_all_types_sonarqube_projects.csv
When application types are selected, the type label is added to the output name, for example application_inventory_service_mobile_app_api_service.xlsx.
The target files are intended for downstream orchestration with Semgrep, SonarQube, SCA tools, custom security scanners, or pipeline automation.
SDK
from pathlib import Path
from application_inventory_service import ScanConfig, SourceTargetFilter, scan_to_reports
config = ScanConfig(
provider="github-enterprise",
base_url="https://github.fabrikam.example/api/v3",
org="FabrikamCloud",
pat="your-token",
project=None,
target_filters=(SourceTargetFilter("", "payments-api"),),
out_dir=Path("reports"),
out_prefix="application_inventory_service",
max_workers=8,
branch_workers=16,
content_workers=16,
max_commits_per_repo=0,
timeout_seconds=30,
min_confidence="medium",
)
results, xlsx_path, semgrep_path, sonarqube_path = scan_to_reports(config)
Release
Build and validate:
python -m unittest discover -s tests
python -m build
python -m twine check dist/*
Publish with the Publish GitHub Actions workflow. The workflow uses the pypi environment and supports two release paths:
- Preferred: configure PyPI Trusted Publishing for repository
h0p3sf4ll/application-inventory-service, workflow.github/workflows/publish.yml, environmentpypi. - Fallback: add a GitHub Actions secret named
PYPI_API_TOKENwith a PyPI API token.
Security Notes
- Use read-only source provider tokens.
- Store shared deployment secrets in AWS Secrets Manager, GitHub Actions secrets, or another approved secret manager.
- Rotate any token that has appeared in chat, logs, terminal output, screenshots, or issue trackers.
- Disable test login and set secure cookies in shared environments.
- Do not commit generated reports if they contain internal repository names, URLs, identifiers, or contributor emails.
- The service does not clone repositories; it reads repository trees and selected manifest/configuration files through provider APIs.
License
MIT. See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file application_inventory_service-1.6.4.tar.gz.
File metadata
- Download URL: application_inventory_service-1.6.4.tar.gz
- Upload date:
- Size: 1.9 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
38002b1943d7d917b1ccad544c833256e25137b369572cc774d4eeb862001db3
|
|
| MD5 |
042657a554a21b571f7a2cdc99ca6715
|
|
| BLAKE2b-256 |
e1d1a4a7351d891336f756860188bf39c6edc8d1aa2e599949ef1841379133a5
|
File details
Details for the file application_inventory_service-1.6.4-py3-none-any.whl.
File metadata
- Download URL: application_inventory_service-1.6.4-py3-none-any.whl
- Upload date:
- Size: 1.9 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c9d9e86fd87b5b091d064ba8658ab5e67244ab1a22c90304cdb3b15052856212
|
|
| MD5 |
f792fa83038b0f38bdace2cde03d1ec2
|
|
| BLAKE2b-256 |
9e180150d9244929b774563ca13c846a91a25a1b50e3c7397652370e5b91ea33
|