{"id":20148225,"url":"https://github.com/chainguard-dev/yacls","last_synced_at":"2025-04-09T19:51:37.162Z","repository":{"id":62916698,"uuid":"522970686","full_name":"chainguard-dev/yacls","owner":"chainguard-dev","description":"Collect ACLs from SaaS platforms for periodic user access reviews","archived":false,"fork":false,"pushed_at":"2025-03-31T19:39:18.000Z","size":1610,"stargazers_count":6,"open_issues_count":6,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-31T20:33:50.597Z","etag":null,"topics":["acl","gcp","saas","slack","yaml"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-09T13:53:31.000Z","updated_at":"2025-03-31T19:36:09.000Z","dependencies_parsed_at":"2023-12-20T11:27:19.264Z","dependency_job_id":"fc4533d7-acbe-43ea-8e69-228d18713abb","html_url":"https://github.com/chainguard-dev/yacls","commit_stats":null,"previous_names":["chainguard-dev/acls-in-yaml"],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fyacls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fyacls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fyacls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fyacls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/yacls/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103899,"owners_count":21048244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acl","gcp","saas","slack","yaml"],"created_at":"2024-11-13T22:35:46.952Z","updated_at":"2025-04-09T19:51:37.152Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# yacls\n\n[![Go Report](https://goreportcard.com/badge/github.com/chainguard-dev/yacls)](https://goreportcard.com/badge/github.com/chainguard-dev/yacls)\n[![Latest Release](https://img.shields.io/github/v/release/chainguard-dev/yacls?include_prereleases)](https://github.com/chainguard-dev/yacls/releases/latest)\n[![stable](http://badges.github.io/stability-badges/dist/stable.svg)](http://github.com/badges/stability-badges)\n\nCollect user ACLs from SaaS platforms and export them to YAML files - optimized for diffs and readability by engineers or auditors.\n\n![yacls](images/logo-small.png?raw=true \"yacls logo\")\n\nyacls is designed to make regular access control audits easy by\noffering a familiar standardized format (YAML) for easy reviews and diffing.\n\nThe output is optimized for being reviewed by humans within a Github PR periodically\nand is carefully tuned to make policy drift easy to notice.\n\n## Supported Data Sources\n\n* 1Password (CSV)\n* Auth0 (HTML)\n* Cloudflare (HTML)\n* Docker Hub (HTML)\n* Ghost Blog (HTML)\n* Github Org Members (CSV)\n* Google Cloud Platform (gcloud)\n* Google Workspace (CSV)\n* Kolide (CSV)\n* Pulumi (HTML)\n* Secureframe (CSV)\n* Slack (CSV)\n* Vercel (HTML)\n* Webflow (HTML)\n\n## Requirements\n\n* The Go Programming Language\n\n## Installation\n\n```shell\ngo install github.com/chainguard-dev/yacls@latest\n```\n\n## Sample Output\n\nThis is the output of `yacls --vercel-html=\u003c/path/to/members.html\u003e`:\n\n```yaml\nmetadata:\n kind: vercel_members\n name: Vercel Members\n source_date: \"2022-09-21\"\n generated_at: 2022-09-21T17:01:57.546028-07:00\n generated_by: t\n process:\n - Open https://vercel.com/\n - Select your company/team\n - Click 'Settings'\n - Click 'Members'\n - Save this page (Complete)\n - Collect resulting .html file for analysis (the other files are not necessary)\n - Execute 'yacls --vercel-members-html=Members - Team Settings ā€“ Dashboard ā€“ Vercel.html'\nuser_count: 7\nusers:\n - account: john@chainguard.dev\n role: Member\n\n - account: kamelot@chainguard.dev\n role: Member\n\n - account: t@chainguard.dev\n role: Owner\nrole_count: 2\nroles:\n Member:\n - john@chainguard.dev\n - kamelot@chainguard.dev\n Owner:\n - t@chainguard.dev\n```\n\n## Example command-line\n\nCreate an audit YAML for a GCP project:\n\n```shell\nyacls --kind=gcp --project=prod-env --out-dir=./out\n```\n\nCreate an audit YAML from a Vercel page:\n\n```shell\nyacls --input vercel.html --kind vercel\n```\n\nTurn a directory full of input files into a directory full of easily auditable YAML files:\n\n```shell\nyacls --input-dir=in/ --out-dir=out/\n```\n\nThe input files should be named after the appropriate `kind`, so for instance, `ghost.csv` or `secureframe.html`.\n\n## Usage\n\nFlags for `yacls`:\n\n```yaml\n -gcp-identity-project string\n project to use for GCP Cloud Identity lookups\n -input string\n path to input file\n -kind string\n kind of input to process. valid values:\n * 1password\n * gcp\n * ghost\n * github-org\n * google-workspace-audit\n * google-workspace-users\n * kolide\n * secureframe\n * slack\n * vercel\n * webflow\n\n Detailed steps for each kind:\n\n # Ghost Blog Permissions\n\n * Open the corporate Ghost blog\n * Click 'Settings'\n * Click 'Staff'\n * Zoom out so that all users are visible on one screen\n * Save this page (Complete)\n * Collect resulting .html file for analysis (the other files are not necessary)\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Github Organization Members\n\n * Open https://github.com/orgs/\u003corg\u003e/people\n * Click Export\n * Select 'CSV'\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Google Cloud Project IAM Policies\n\n * Execute 'yacls --kind={{.Kind}} --project={{.Project}}'\n\n # Google Workspace User Audit\n\n * Open https://admin.google.com/ac/reporting/report/user/accounts\n * Click Download icon\n * Select All Columns\n * Click CSV\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Google Workspace Users\n\n * Open https://admin.google.com/ac/users\n * Click Download users\n * Select 'All user info Columns'\n * Select 'Comma-separated values (.csv)'\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Kolide Users\n\n * Open https://k2.kolide.com/3361/settings/admin/users\n * Click CSV\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # 1Password Team Members\n\n * To be documented\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Secureframe Personnel\n\n * Open https://app.secureframe.com/personnel\n * Deselect any active filters\n * Click Export...\n * Select 'Direct Download'\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Slack Members\n\n * Open Slack\n * Click \u003corg name\u003eā–¼\n * Select 'Settings \u0026 Administration'\n * Select 'Manage Members'\n * Select 'Export Member List'\n * Download resulting CSV file for analysis\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Vercel Site Permissions\n\n * Open https://vercel.com/\n * Select your company/team\n * Click 'Settings'\n * Click 'Members'\n * Save this page (Complete)\n * Collect resulting .html file for analysis (the other files are not necessary)\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n # Webflow Site Permissions\n\n * Open https://webflow.com/dashboard/sites/\u003csite\u003e/members\n * Save this page (Complete)\n * Collect resulting .html file for analysis (the other files are not necessary)\n * Execute 'yacls --kind={{.Kind}} --input={{.Path}}'\n\n -out-dir string\n output YAML files to this directory\n -project string\n specific project to process within the kind\n -serve\n Enable server mode (web UI)\n```\n\n## FAQ\n\n### Why not use the APIs provided by each vendor?\n\nThe current structure was put in place because of a separation of duties, where the person running the tool was not the one who had admin access to each SaaS platform. It doesn't help that many SaaS platforms do not provide a documented API to retrieve user lists (Vercel, I'm looking at you!)\n\nAt the moment, the only fully automated audit is GCP, though we would like to add more direct API support. HELP WANTED!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fyacls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fyacls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fyacls/lists"}