git-pkgs 0.7.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f9ff177f3dd7cbb4f5591a0c0f2b936d5fb98629329294dae9f57380a69709e
-  data.tar.gz: e8760e948aea3b7252176fc6a0b4bb0d74432ad05e4fa20693468b9440b126bd
+  metadata.gz: 3bd1b968e2bc7ed2d3ecbc8a750925afdea362ca1d0a01f6d69a6bf5aef58b02
+  data.tar.gz: 1deed6e6742a7977585c97db65fe13e649e4b5e3b6a0f9674f5352d977dc8fcf
 SHA512:
-  metadata.gz: a670a1b046b7d0953aefe8bd57a6a03fa69624eb3bdb4e8867a647521a88c936e559973b6470989cca45714e79de19c0f6d2a2c85fa7340c3b677e07923cb97a
-  data.tar.gz: dcbb08683dfe053e70801ae36fe74f3d1f33ce0a6f74a7df3b6cb1a6d5df70d5a7c5db9ca9c7fc8efb6ee94463fbc96a68ef7e09f20808fd6b41b1c2d2e6b873
+  metadata.gz: 5d7ed904f5e7b3fc0b7a7054d596dfe59d1918f30d493ac5613cea125c41f9b38ab22daab2c84a5536b55030ca407334b01e6d0bd79bc828a371abfdccf5a16d
+  data.tar.gz: e1170c4c9eeb345730e9ab614536c6431f1c56ee9bafc8bdff111e7df3bf8f577149ba1f94a77787ace083ee401b2980978148f76e85d16c5a3a1101902a2a08

data/CHANGELOG.md

@@ -1,5 +1,30 @@
 ## [Unreleased]
 
+## [0.9.0] - 2026-01-14
+
+- `git pkgs sbom` command to export dependencies as SPDX or CycloneDX
+- `git pkgs integrity` command to show and verify lockfile integrity hashes
+- Parse go.sum for Go module integrity hashes (no longer ignored)
+- Convert Go h1: hashes (base64) to hex for SBOM compatibility
+- `--drift` flag to detect packages with different hashes for the same version
+- Registry integrity comparison via ecosyste.ms API
+- Store integrity hashes from lockfiles in dependency_snapshots table
+- SBOM export includes supplier info from ecosyste.ms (owner/maintainer)
+- License commands use version-level license data when available
+- Store supplier_name and supplier_type on packages (schema v5, run `git pkgs upgrade`)
+- Update ecosystems-bibliothecary to ~> 15.3 (integrity extraction from lockfiles)
+- Update purl to >= 1.7.1 (ecosyste.ms API URL support)
+
+## [0.8.0] - 2026-01-14
+
+- `git pkgs outdated` command to find dependencies with newer versions available in registries
+- `git pkgs licenses` command to check dependency licenses with compliance options (--permissive, --allow, --deny)
+- ecosyste.ms client for fetching package metadata (latest versions, licenses)
+- Package and Version models for storing enrichment data
+- Spinner utility for progress feedback during network operations
+- PURL helper for standardized package URLs
+- `outdated` is no longer an alias for `stale` (now a separate command)
+
 ## [0.7.0] - 2026-01-09
 
 - `git pkgs vulns` subcommand for vulnerability scanning via OSV API

data/Formula/git-pkgs.rb

@@ -1,8 +1,8 @@
 class GitPkgs < Formula
   desc "Track package dependencies across git history"
   homepage "https://github.com/andrew/git-pkgs"
-  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.6.2.tar.gz"
-  sha256 "ccd7a8a5b9cb21c52cc488923ed1318387a9fefa4baff2057bd96b27591577aa"
+  url "https://github.com/andrew/git-pkgs/archive/refs/tags/v0.8.0.tar.gz"
+  sha256 "b2e8ebfefc86fd137fb76225934c0fe2a1e01b2fcaac88a91f1134eecc4e9e71"
   license "AGPL-3.0"
 
   depends_on "cmake" => :build

data/README.md

@@ -10,7 +10,9 @@ Your lockfile shows what dependencies you have, but it doesn't show how you got
 
 For best results, commit your lockfiles. Manifests show version ranges but lockfiles show what actually got installed, including transitive dependencies.
 
-It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. Everything runs locally and offline with no external services or network calls, and the database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
+It works across many ecosystems (Gemfile, package.json, Dockerfile, GitHub Actions workflows) giving you one unified history instead of separate tools per ecosystem. The database lives in your `.git` directory where you can use it in CI to catch dependency changes in pull requests.
+
+The core commands (`list`, `history`, `blame`, `diff`, `stale`, etc.) work entirely from your git history with no network access. Additional commands fetch external data: `vulns` checks [OSV](https://osv.dev) for known CVEs, while `outdated` and `licenses` query [ecosyste.ms](https://packages.ecosyste.ms/) for registry metadata. See [docs/enrichment.md](docs/enrichment.md) for details on external data.
 
 ## Installation
 
@@ -45,6 +47,8 @@ git pkgs history rails  # track a specific package
 git pkgs why rails      # why was this added?
 git pkgs diff --from=HEAD~10  # what changed recently?
 git pkgs diff --from=main --to=feature  # compare branches
+git pkgs vulns          # scan for known CVEs
+git pkgs vulns blame    # who introduced each vulnerability
 ```
 
 ## Commands
@@ -254,22 +258,96 @@ This shows dependencies grouped by type (runtime, development, etc).
 git pkgs stale                  # list deps by how long since last touched
 git pkgs stale --days=365       # only show deps untouched for a year
 git pkgs stale --ecosystem=npm  # filter by ecosystem
-git pkgs outdated               # alias for stale
 ```
 
 Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
 
+### Find outdated dependencies
+
+```bash
+git pkgs outdated               # show packages with newer versions available
+git pkgs outdated --major       # only major version updates
+git pkgs outdated --minor       # minor and major updates (skip patch)
+git pkgs outdated --stateless   # no database needed
+```
+
+Checks package registries (via [ecosyste.ms](https://packages.ecosyste.ms/)) to find dependencies with newer versions available. Major updates are shown in red, minor in yellow, patch in cyan.
+
+### Check licenses
+
+```bash
+git pkgs licenses               # show license for each dependency
+git pkgs licenses --permissive  # flag copyleft licenses
+git pkgs licenses --allow=MIT,Apache-2.0  # explicit allow list
+git pkgs licenses --group       # group output by license
+git pkgs licenses --stateless   # no database needed
+```
+
+Fetches license information from package registries. Exits with code 1 if violations are found, making it suitable for CI. See [docs/enrichment.md](docs/enrichment.md) for all options.
+
 ### Vulnerability scanning
 
+Scan dependencies for known CVEs using the [OSV database](https://osv.dev). Because git-pkgs tracks the full history of every dependency change, it provides context that static scanners can't: who introduced a vulnerability, when it was fixed, and how long you were exposed.
+
 ```bash
-git pkgs vulns                  # scan current dependencies for known CVEs
+git pkgs vulns                  # scan current dependencies
+git pkgs vulns v1.0.0           # scan at a tag, branch, or commit
 git pkgs vulns -s high          # only critical and high severity
+git pkgs vulns -e npm           # filter by ecosystem
+git pkgs vulns -f sarif         # output for GitHub code scanning
+```
+
+Subcommands for historical analysis:
+
+```bash
 git pkgs vulns blame            # who introduced each vulnerability
+git pkgs vulns blame --all-time # include fixed vulnerabilities
 git pkgs vulns praise           # who fixed vulnerabilities
-git pkgs vulns exposure --all-time --summary  # remediation metrics
+git pkgs vulns praise --summary # author leaderboard
+git pkgs vulns exposure         # remediation metrics (CRA compliance)
+git pkgs vulns diff main feature # compare vulnerability state between refs
+git pkgs vulns log              # commits that introduced or fixed vulns
+git pkgs vulns history lodash   # vulnerability timeline for a package
+git pkgs vulns show CVE-2024-1234  # details about a specific CVE
 ```
 
-Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation.
+Output formats: `text` (default), `json`, and `sarif`. SARIF integrates with GitHub Advanced Security:
+
+```yaml
+- run: git pkgs vulns --stateless -f sarif > results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+Vulnerability data is cached locally and refreshed automatically when stale (>24h). Use `git pkgs vulns sync --refresh` to force an update. See [docs/vulns.md](docs/vulns.md) for full documentation.
+
+### Integrity verification
+
+Show SHA256 hashes from lockfiles. Modern lockfiles include checksums that verify package contents haven't been tampered with.
+
+```bash
+git pkgs integrity              # show hashes for current dependencies
+git pkgs integrity --drift      # detect same version with different hashes
+git pkgs integrity -f json      # JSON output
+git pkgs integrity --stateless  # no database needed
+```
+
+The `--drift` flag scans your history for packages where the same version has different integrity hashes, which could indicate a supply chain issue.
+
+### SBOM export
+
+Export dependencies as a Software Bill of Materials in CycloneDX or SPDX format:
+
+```bash
+git pkgs sbom                      # CycloneDX JSON (default)
+git pkgs sbom --type spdx          # SPDX JSON
+git pkgs sbom -f xml               # XML instead of JSON
+git pkgs sbom --name my-project    # custom project name
+git pkgs sbom --stateless          # no database needed
+```
+
+Includes package URLs (purls), versions, and licenses (fetched from registries). Use `--skip-enrichment` to omit license lookups.
 
 ### Diff between commits
 
@@ -497,6 +575,7 @@ Git::Pkgs::Database.connect(repo_git_dir)
 Git::Pkgs::Models::DependencyChange.where(name: "rails").all
 ```
 
+
 ## Contributing
 
 Bug reports, feature requests, and pull requests are welcome. If you're unsure about a change, open an issue first to discuss it.

data/lib/git/pkgs/analyzer.rb

@@ -33,7 +33,7 @@ module Git
         REQUIRE Project.toml Manifest.toml
         shard.yml shard.lock
         elm-package.json elm_dependencies.json elm-stuff/exact-dependencies.json
-        haxelib.json
+        haxelib.json stack.yaml stack.yaml.lock
         action.yml action.yaml .github/workflows/*.yml .github/workflows/*.yaml
         Dockerfile docker-compose*.yml docker-compose*.yaml
         dvc.yaml vcpkg.json _generated-vcpkg-list.json
@@ -141,7 +141,8 @@ module Git
               purl: generate_purl(result[:platform], dep[:name]),
               change_type: "added",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, dep[:name]]
@@ -150,7 +151,8 @@ module Git
               kind: result[:kind],
               purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
           end
         end
@@ -179,7 +181,8 @@ module Git
               purl: generate_purl(after_result[:platform], name),
               change_type: "added",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, name]
@@ -188,7 +191,8 @@ module Git
               kind: after_result[:kind],
               purl: generate_purl(after_result[:platform], name),
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
           end
 
@@ -202,7 +206,8 @@ module Git
               purl: generate_purl(before_result[:platform], name),
               change_type: "removed",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, name]
@@ -223,7 +228,8 @@ module Git
                 change_type: "modified",
                 requirement: after_dep[:requirement],
                 previous_requirement: before_dep[:requirement],
-                dependency_type: after_dep[:type]
+                dependency_type: after_dep[:type],
+                integrity: after_dep[:integrity]
               }
 
               key = [manifest_path, name]
@@ -232,7 +238,8 @@ module Git
                 kind: after_result[:kind],
                 purl: generate_purl(after_result[:platform], name),
                 requirement: after_dep[:requirement],
-                dependency_type: after_dep[:type]
+                dependency_type: after_dep[:type],
+                integrity: after_dep[:integrity]
               }
             end
           end
@@ -252,7 +259,8 @@ module Git
               purl: generate_purl(result[:platform], dep[:name]),
               change_type: "removed",
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
 
             key = [manifest_path, dep[:name]]
@@ -329,7 +337,8 @@ module Git
               kind: result[:kind],
               purl: generate_purl(result[:platform], dep[:name]),
               requirement: dep[:requirement],
-              dependency_type: dep[:type]
+              dependency_type: dep[:type],
+              integrity: dep[:integrity]
             }
           end
         end

data/lib/git/pkgs/cli.rb

@@ -33,7 +33,11 @@ module Git
         },
         "Analysis" => {
           "stats" => "Show dependency statistics",
-          "stale" => "Show dependencies that haven't been updated"
+          "stale" => "Show dependencies that haven't been updated",
+          "outdated" => "Show packages with newer versions available",
+          "licenses" => "Show licenses for dependencies",
+          "integrity" => "Show and verify lockfile integrity hashes",
+          "sbom" => "Export dependencies as SBOM (SPDX or CycloneDX)"
         },
         "Security" => {
           "vulns" => "Scan for known vulnerabilities"
@@ -42,7 +46,7 @@ module Git
 
       COMMANDS = COMMAND_GROUPS.values.flat_map(&:keys).freeze
       COMMAND_DESCRIPTIONS = COMMAND_GROUPS.values.reduce({}, :merge).freeze
-      ALIASES = { "praise" => "blame", "outdated" => "stale" }.freeze
+      ALIASES = { "praise" => "blame" }.freeze
 
       def self.run(args)
         new(args).run

data/lib/git/pkgs/commands/branch.rb

@@ -191,6 +191,7 @@ module Git
                     ecosystem: s[:ecosystem],
                     requirement: s[:requirement],
                     dependency_type: s[:dependency_type],
+                    integrity: s[:integrity],
                     created_at: now,
                     updated_at: now
                   }
@@ -266,7 +267,8 @@ module Git
                     name: name,
                     ecosystem: dep_info[:ecosystem],
                     requirement: dep_info[:requirement],
-                    dependency_type: dep_info[:dependency_type]
+                    dependency_type: dep_info[:dependency_type],
+                    integrity: dep_info[:integrity]
                   }
                 end
                 snapshots_stored += snapshot.size
@@ -286,7 +288,8 @@ module Git
                   name: name,
                   ecosystem: dep_info[:ecosystem],
                   requirement: dep_info[:requirement],
-                  dependency_type: dep_info[:dependency_type]
+                  dependency_type: dep_info[:dependency_type],
+                  integrity: dep_info[:integrity]
                 }
               end
               snapshots_stored += snapshot.size

data/lib/git/pkgs/commands/diff_driver.rb

@@ -24,18 +24,24 @@ module Git
           gems.locked
           glide.lock
           go.mod
+          go.sum
+          gradle.lockfile
           mix.lock
           npm-shrinkwrap.json
           package-lock.json
           packages.lock.json
           paket.lock
+          pdm.lock
           pnpm-lock.yaml
           poetry.lock
           project.assets.json
           pubspec.lock
           pylock.toml
+          renv.lock
           shard.lock
+          stack.yaml.lock
           uv.lock
+          verification-metadata.xml
           yarn.lock
         ].freeze
 

data/lib/git/pkgs/commands/init.rb

@@ -125,6 +125,7 @@ module Git
                     purl: s[:purl],
                     requirement: s[:requirement],
                     dependency_type: s[:dependency_type],
+                    integrity: s[:integrity],
                     created_at: now,
                     updated_at: now
                   }
@@ -207,7 +208,8 @@ module Git
                     ecosystem: dep_info[:ecosystem],
                     purl: dep_info[:purl],
                     requirement: dep_info[:requirement],
-                    dependency_type: dep_info[:dependency_type]
+                    dependency_type: dep_info[:dependency_type],
+                    integrity: dep_info[:integrity]
                   }
                 end
                 snapshots_stored += snapshot.size
@@ -228,7 +230,8 @@ module Git
                   ecosystem: dep_info[:ecosystem],
                   purl: dep_info[:purl],
                   requirement: dep_info[:requirement],
-                  dependency_type: dep_info[:dependency_type]
+                  dependency_type: dep_info[:dependency_type],
+                  integrity: dep_info[:integrity]
                 }
               end
               snapshots_stored += snapshot.size

data/lib/git/pkgs/commands/integrity.rb

@@ -0,0 +1,288 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Commands
+      class Integrity
+        include Output
+
+        def self.description
+          "Show and verify lockfile integrity hashes"
+        end
+
+        def initialize(args)
+          @args = args
+          @options = parse_options
+        end
+
+        def run
+          repo = Repository.new
+          use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir)
+
+          if @options[:drift]
+            error "--drift requires database (run 'git pkgs init' first)" if use_stateless
+            run_drift_detection(repo)
+          else
+            run_show(repo, use_stateless)
+          end
+        end
+
+        def run_show(repo, use_stateless)
+          if use_stateless
+            deps = run_stateless(repo)
+          else
+            deps = run_with_database(repo)
+          end
+
+          # Filter to only lockfile deps with integrity
+          deps = Analyzer.lockfile_dependencies(deps)
+          deps = deps.select { |d| d[:integrity] }
+
+          if @options[:ecosystem]
+            deps = deps.select { |d| d[:ecosystem] == @options[:ecosystem] }
+          end
+
+          if deps.empty?
+            empty_result "No dependencies with integrity hashes found"
+            return
+          end
+
+          if @options[:format] == "json"
+            require "json"
+            puts JSON.pretty_generate(deps.map { |d| format_dep_json(d) })
+          else
+            paginate { output_text(deps) }
+          end
+        end
+
+        def run_stateless(repo)
+          commit_sha = @options[:ref] || repo.head_sha
+          rugged_commit = repo.lookup(repo.rev_parse(commit_sha))
+          error "Could not resolve '#{commit_sha}'" unless rugged_commit
+
+          analyzer = Analyzer.new(repo)
+          analyzer.dependencies_at_commit(rugged_commit)
+        end
+
+        def run_with_database(repo)
+          Database.connect(repo.git_dir)
+
+          commit_sha = @options[:ref] || repo.head_sha
+          target_commit = Models::Commit.first(sha: commit_sha)
+          error "Commit not in database. Run 'git pkgs update' first." unless target_commit
+
+          compute_dependencies_at_commit(target_commit, repo)
+        end
+
+        def run_drift_detection(repo)
+          Database.connect(repo.git_dir)
+
+          # Get unique (purl, requirement, integrity) from snapshots
+          results = Database.db[:dependency_snapshots]
+            .exclude(integrity: nil)
+            .select(:purl, :requirement, :integrity)
+            .distinct
+            .all
+
+          # Build versioned purls and group
+          by_versioned_purl = {}
+          results.each do |r|
+            versioned_purl = "#{r[:purl]}@#{r[:requirement]}"
+            by_versioned_purl[versioned_purl] ||= { purl: r[:purl], version: r[:requirement], lockfile_integrities: [] }
+            by_versioned_purl[versioned_purl][:lockfile_integrities] << r[:integrity]
+          end
+
+          # Dedupe lockfile integrities
+          by_versioned_purl.each { |_, v| v[:lockfile_integrities].uniq! }
+
+          # Find internal drift (same version with different lockfile hashes)
+          internal_drifts = by_versioned_purl.select { |_, v| v[:lockfile_integrities].size > 1 }
+
+          # Fetch registry integrity for comparison
+          registry_mismatches = []
+          purls_to_check = by_versioned_purl.keys
+
+          if purls_to_check.any?
+            Spinner.with_spinner("Fetching registry integrity...") do
+              client = EcosystemsClient.new
+              purls_to_check.each do |versioned_purl|
+                data = by_versioned_purl[versioned_purl]
+                version_info = client.lookup_version(versioned_purl)
+                next unless version_info && version_info["integrity"]
+
+                registry_integrity = version_info["integrity"]
+                lockfile_integrity = data[:lockfile_integrities].first
+
+                unless integrity_match?(lockfile_integrity, registry_integrity)
+                  registry_mismatches << {
+                    purl: versioned_purl,
+                    lockfile: lockfile_integrity,
+                    registry: registry_integrity
+                  }
+                end
+              end
+            end
+          end
+
+          if internal_drifts.empty? && registry_mismatches.empty?
+            info "No integrity drift detected"
+            return
+          end
+
+          if @options[:format] == "json"
+            require "json"
+            output = {
+              internal_drift: internal_drifts.map { |purl, v| { purl: purl, integrity_values: v[:lockfile_integrities] } },
+              registry_mismatch: registry_mismatches
+            }
+            puts JSON.pretty_generate(output)
+          else
+            paginate { output_drift_text(internal_drifts, registry_mismatches) }
+          end
+        end
+
+        def integrity_match?(lockfile, registry)
+          normalize_integrity(lockfile) == normalize_integrity(registry)
+        end
+
+        def normalize_integrity(integrity)
+          return nil unless integrity
+          # Normalize sha256= vs sha256- format
+          integrity.gsub(/^sha256[-=]/, "sha256:")
+        end
+
+        def output_text(deps)
+          grouped = deps.group_by { |d| d[:ecosystem] }
+
+          grouped.each do |ecosystem, ecosystem_deps|
+            puts "#{ecosystem}:"
+            ecosystem_deps.sort_by { |d| d[:name] }.each do |dep|
+              puts "  #{dep[:name]} #{dep[:requirement]}"
+              puts "    #{dep[:integrity]}"
+            end
+            puts
+          end
+        end
+
+        def output_drift_text(internal_drifts, registry_mismatches)
+          if internal_drifts.any?
+            puts Color.red("Internal drift (same version, different lockfile hashes):")
+            puts
+            internal_drifts.each do |purl, data|
+              puts "  #{purl}"
+              data[:lockfile_integrities].each do |integrity|
+                puts "    #{integrity}"
+              end
+              puts
+            end
+          end
+
+          if registry_mismatches.any?
+            puts Color.red("Registry mismatch (lockfile differs from registry):")
+            puts
+            registry_mismatches.each do |mismatch|
+              puts "  #{mismatch[:purl]}"
+              puts "    lockfile: #{mismatch[:lockfile]}"
+              puts "    registry: #{mismatch[:registry]}"
+              puts
+            end
+          end
+
+          total = internal_drifts.size + registry_mismatches.size
+          puts "#{total} integrity issue(s) found"
+        end
+
+        def format_dep_json(dep)
+          {
+            name: dep[:name],
+            version: dep[:requirement],
+            ecosystem: dep[:ecosystem],
+            purl: dep[:purl],
+            integrity: dep[:integrity],
+            manifest: dep[:manifest_path]
+          }
+        end
+
+        def compute_dependencies_at_commit(target_commit, repo)
+          branch_name = @options[:branch] || repo.default_branch
+          branch = Models::Branch.first(name: branch_name)
+          return [] unless branch
+
+          snapshot_commit = branch.commits_dataset
+            .join(:dependency_snapshots, commit_id: :id)
+            .where { Sequel[:commits][:committed_at] <= target_commit.committed_at }
+            .order(Sequel.desc(Sequel[:commits][:committed_at]))
+            .distinct
+            .first
+
+          deps = {}
+          if snapshot_commit
+            snapshot_commit.dependency_snapshots.each do |s|
+              key = [s.manifest.path, s.name]
+              deps[key] = {
+                manifest_path: s.manifest.path,
+                name: s.name,
+                ecosystem: s.ecosystem,
+                kind: s.manifest.kind,
+                manifest_kind: s.manifest.kind,
+                purl: s.purl,
+                requirement: s.requirement,
+                dependency_type: s.dependency_type,
+                integrity: s.integrity
+              }
+            end
+          end
+
+          deps.values
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs integrity [options]"
+            opts.separator ""
+            opts.separator "Show integrity hashes from lockfiles. Hashes come from lockfile checksums"
+            opts.separator "(Gemfile.lock CHECKSUMS, package-lock.json integrity fields, etc.)"
+
+            opts.on("-r", "--ref=REF", "Git ref to check (default: HEAD)") do |v|
+              options[:ref] = v
+            end
+
+            opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v|
+              options[:ecosystem] = v
+            end
+
+            opts.on("-b", "--branch=NAME", "Branch context for database queries") do |v|
+              options[:branch] = v
+            end
+
+            opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v|
+              options[:format] = v
+            end
+
+            opts.on("--drift", "Detect packages with different hashes for same version") do
+              options[:drift] = true
+            end
+
+            opts.on("--stateless", "Parse manifests directly without database") do
+              options[:stateless] = true
+            end
+
+            opts.on("--no-pager", "Do not pipe output into a pager") do
+              options[:no_pager] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options
+        end
+      end
+    end
+  end
+end