Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model.
IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics.
For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company".
Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.
i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com
Terraform doesn't know what it doesn't know. It only cares about stuff you defined in code and ignores all the rest. You can't use it for auditing purposes, except in its narrow scope.
As much a fan of Terraform I am. If you didn't started defining your repos in Terraform from day 0, importing hundreds of repos, members, permission sets would be quite a lot more work than running this audit tool.
Awesome! I built something like this for $JOB-1 too. Unfortunately didn't get to open source this before I left.
I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams.
Steampipe [1] is an open source CLI to query your cloud resources (e.g. GitHub, AWS, Splunk, etc) with SQL. The GitHub plugin has 44 tables to query [2].
The "GitHub Sherlock" mod includes 34 automated controls for organization, repo and issue best practices. The "GitHub Compliance" mod has 35 automated controls for supply chain security. Mods are written in HCL + SQL. [3]
megamorf|3 years ago
LukeShu|3 years ago
For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company".
Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.
Anyway, here's my audit script for such things: https://github.com/datawire/collaborators
pquerna|3 years ago
benfrancom|3 years ago
candiddevmike|3 years ago
gtirloni|3 years ago
coenhyde|3 years ago
nikolay|3 years ago
maartenh|3 years ago
I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams.
atonse|3 years ago
nathanwallace|3 years ago
Steampipe [1] is an open source CLI to query your cloud resources (e.g. GitHub, AWS, Splunk, etc) with SQL. The GitHub plugin has 44 tables to query [2].
The "GitHub Sherlock" mod includes 34 automated controls for organization, repo and issue best practices. The "GitHub Compliance" mod has 35 automated controls for supply chain security. Mods are written in HCL + SQL. [3]
1 - https://steampipe.io 2 - https://hub.steampipe.io/plugins/turbot/github 3 - https://hub.steampipe.io/mods?q=github
serge1978|3 years ago