Clone or update all repositories listed in a Security Insights file. Reads project.repositories from a local file, URL, or GitHub repo, then runs git clone or git pull for each repo.
go install github.com/revanite-io/project-puller@latestRequires Go 1.25+ and a working git on your PATH.
The source type is auto-detected from the argument:
# From a GitHub repo (looks for security-insights.yml)
project-puller org/repo
# From a GitHub repo with a custom path
project-puller org/repo/dir/security-insights.yml
# From a URL
project-puller https://raw.githubusercontent.com/org/repo/main/security-insights.yml
# From a local file
project-puller ./security-insights.ymlRepos are cloned into a directory named after the GitHub org (derived from the first repository URL). Override it with --output:
project-puller org/repo --output ./my-repos| Flag | Description |
|---|---|
--output |
Directory for cloned repos (default: org name from first repo URL) |
--username |
Your fork username: clone with remote upstream, add your fork as origin if it exists |
--https |
Use HTTPS URLs for clone and remotes (default: SSH) |
--quiet |
Suppress git command output and status messages |
Clone all project repos via SSH into ./my-project:
project-puller org/project --output my-projectSame, but set up your fork as origin with the upstream project as upstream:
project-puller org/project --output my-project --username yournameAfter that, each repo has upstream (the project) and origin (your fork). If a fork doesn't exist on the host, the origin remote is skipped (with a warning) so you don't end up with a remote pointing at a 404.
To use HTTPS instead of SSH, add --https.
See CONTRIBUTING.md for build instructions, troubleshooting, and contribution guidelines.