Show HN: GitHub Org Audit Tool
github.comThis is a tool for auditing github organizations including their repos, users, and teams. It is useful for compliance, security and auditing. Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model. IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics. For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company". Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive. Anyway, here's my audit script for such things: https://github.com/datawire/collaborators That's actually incorrect. Check out this query: https://gist.github.com/megamorf/9c105ac9cc13a93b5449a7b683d... I have added two output examples. One for when you only want to find users that have been directly assigned to a repo (DIRECT) and one that shows how their roles and team memberships decide what permissions they have on a repo. If they've fixed it in the last 5 months, then hooray. Having write already implies that you have read, it't not something related to being in a team with read, it's just that write always gives you read.
The permission levels are pull(read), triage(read+issues/pr's), push(read+write), maintain, and admin > Having write already implies that you have read Yes, but if it's just being implied then it won't list "READ" separately in the "permissionSources", it will just list "WRITE". i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com I believe you might have a typo in your mail? Just making sure you're not missing out on something useful :) thank you -- can't edit it anymore, but paul.querna (spelled my own name wrong) Nice, do you have anything you can share? Why audit when you can declare all of this in Terraform? https://registry.terraform.io/providers/integrations/github/... Terraform doesn't know what it doesn't know. It only cares about stuff you defined in code and ignores all the rest. You can't use it for auditing purposes, except in its narrow scope. As much a fan of Terraform I am. If you didn't started defining your repos in Terraform from day 0, importing hundreds of repos, members, permission sets would be quite a lot more work than running this audit tool. And quite frankly, terraform is great at first, and maybe for smaller projects, but for larger cases it becomes unmaintainable and unrefactorable pretty quickly. And here comes Terraformer: https://github.com/GoogleCloudPlatform/terraformer
It doesn't import anything, but generates the .tf files for you. Disclaimer: I have used that, but not for GitHub. I use that provider - it's one of the buggiest Terraform providers ever! Awesome! I built something like this for $JOB-1 too. Unfortunately didn't get to open source this before I left. I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams. How about using steampipe for this? Thanks atonse for the shout out! Steampipe [1] is an open source CLI to query your cloud resources (e.g. GitHub, AWS, Splunk, etc) with SQL. The GitHub plugin has 44 tables to query [2]. The "GitHub Sherlock" mod includes 34 automated controls for organization, repo and issue best practices. The "GitHub Compliance" mod has 35 automated controls for supply chain security. Mods are written in HCL + SQL. [3] 1 - https://steampipe.io
2 - https://hub.steampipe.io/plugins/turbot/github
3 - https://hub.steampipe.io/mods?q=github Quick feedback: Just noticed that you can get rid of one setup step at https://steampipe.io/downloads - you don't need to brew tap & brew install, you can just use one command: `brew install turbot/tap/steampipe` without doing `brew tap` first. Good idea - thanks, love the feedback :-) Thanks for sharing! Love these other options! This is super helpful!