Module dependency 

Dependency signature evidence collection for GitHub repositories.

Detects lock files in the repository (Cargo.lock, package-lock.json, etc.) and collects dependency signature evidence by parsing lock-file checksums and optionally verifying npm provenance via npm audit signatures.

Functions

collect_pr_dependency_signatures

Collect dependency signature evidence for a PR by checking which lock files are present in the repository and parsing them for dependency information.

collect_repo_dependency_signatures

Collect dependency signature evidence for an entire repository at a given ref.