ghaudit
CLI audit tool for GitHub repositories with OPA/Rego.
Features
- Crawls GitHub repository meta data of your organization
- Evaluates the meta data with policy written by Rego or inquiry to OPA server
- Exit with non-zero when detecting violation and notify the violation to Slack
Setup
1) Create a new GitHub App
- Go to https://github.com/organizations/{your_org_name}/settings/apps and click
New GitHub App
- Input required fields and grant following permissions. Then click
Create GitHub App
- Repository permissions
- Administration: Read-only
- Content: Read-only
- Webhooks: Read-only
- Create key by clicking
Generate a private key
and save it.
- Move
Install App
page from left side bar and click Install
button of the organization you want to install
Please note the following items
2) Creating policy by Rego
Policy rules
- Package name:
github.repo
- Input data
- Result: Put detected violation
category
: Title to indicate violation category
message
: Describe violation detail
Policy example
Example 1. Check if collaborator does not have overly permissions
package github.repo
fail[res] {
user := input.collaborators[_]
true == [
user.permissions.maintain,
user.permissions.admin,
][_]
res = {
"category": "Collaborator must not have permissions of maintain and admin",
"message": sprintf("%s has maintain:%v admin:%v", [user.login, user.permissions.maintain, user.permissions.admin]),
}
}
Example 2. Check if default branch is protected
package github.repo
fail[msg] {
branch := input.branches[_]
branch.name == input.repo.default_branch
branch.protected == false
msg := {
"category": "default branch must be protected",
"message": sprintf("default branch is %s", [branch.name]),
}
}
3) [Optional] Retrieve webhook URL of Slack
ghaudit
can notify a detected violation via Slack by incoming webhook. Setup incoming webhook according to https://api.slack.com/messaging/webhooks if you want.
Run ghaudit
$ export GHAUDIT_APP_ID=000000
$ export GHAUDIT_INSTALL_ID=0000000
$ export GHAUDIT_PRIVATE_KEY_FILE=xxxxxx.2022-02-18.private-key.pem
$ export GHAUDIT_SLACK_WEBHOOK=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
$ ghaudit -o [your_org_name] -p ./policy
Test and debug policy
--dump
: Exports retrieved repository data to directory
--load
: Imports local repository data exported by --dump
option
--log-level dump
: Output print
result in Rego if you use local policy
Example:
(skip export environment variables)
$ ghaudit -o [your_org_name] -p ./policy --dump ./repo_data
# output repository data to ./repo_data
$ ls ./repo_data
foo-repo.json baa-repo.json
# if something wrong, update local Rego file(s), then
$ ghaudit -o [your_org_name] -p ./policy --load ./repo_data --log-level debug
# Re-evaluate updated policy with local data rapidly and output `print` function result also
Options
Required
--app-id
(GHAUDIT_APP_ID
): GitHub App ID
--install-id
(GHAUDIT_INSTALL_ID
): GitHub App install ID
- GitHub App private key: Choose either one of following:
--private-key-file
(GHAUDIT_PRIVATE_KEY_FILE
): Key file path
--private-key-data
(GHAUDIT_PRIVATE_KEY_DATA
): Key data
- Audit policy: Choose either one of following:
- Use local Rego file(s)
--policy
, -p
: Rego policy directory. Scan .rego
file recursively
--package
: Package name of policy. Default is github.repo
- Use OPA server
--server
, -s
: OPA server URL
--header
, -H
: HTTP header of inquiry request to OPA server
--dump
: Specify directory to dump retrieved data from GitHub
--load
: Specify directory to load retrieved data from GitHub
Optional
--format
, -f
: Choose text
or json
.
--output
, -o
: Output file. -
means stdout.
--slack-webhook
(GHAUDIT_SLACK_WEBHOOK
): Slack incoming webhook URL.
--fail
: Exit with non-zero when detecting violation
--thread
: Specify number of thread to retrieve repository meta data
--limit
: Specify limit number of auditing repository
License
Apache License 2.0