{"id":15048263,"url":"https://github.com/github/ghec-audit-log-cli","last_synced_at":"2025-10-19T22:32:59.639Z","repository":{"id":40718619,"uuid":"262014300","full_name":"github/ghec-audit-log-cli","owner":"github","description":"Query the GitHub Audit Log for your organization to send it over to other services like elastic, splunk or sentinel for visualization and security","archived":true,"fork":false,"pushed_at":"2024-10-04T12:01:31.000Z","size":391,"stargazers_count":63,"open_issues_count":11,"forks_count":11,"subscribers_count":225,"default_branch":"main","last_synced_at":"2024-12-17T02:25:32.600Z","etag":null,"topics":["audit-log","enterprise","github","services-toolbox"],"latest_commit_sha":null,"homepage":"https://github.com/github/ghec-audit-log-cli","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/github.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null}},"created_at":"2020-05-07T10:00:53.000Z","updated_at":"2024-10-08T11:20:21.000Z","dependencies_parsed_at":"2023-09-25T03:53:15.369Z","dependency_job_id":null,"html_url":"https://github.com/github/ghec-audit-log-cli","commit_stats":{"total_commits":74,"total_committers":10,"mean_commits":7.4,"dds":"0.43243243243243246","last_synced_commit":"03dce307ca2402e1f4e0db81d972360913208c3a"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fghec-audit-log-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fghec-audit-log-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fghec-audit-log-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fghec-audit-log-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/github","download_url":"https://codeload.github.com/github/ghec-audit-log-cli/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237224904,"owners_count":19275107,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit-log","enterprise","github","services-toolbox"],"created_at":"2024-09-24T21:09:55.732Z","updated_at":"2025-10-19T22:32:54.329Z","avatar_url":"https://github.com/github.png","language":"JavaScript","readme":"\u003e [!WARNING]\n\u003e ### This repository has been deprecated and is no longer maintained\n\u003e\n\u003e The features of this tool are now natively supported in GitHub, please explore the following options;\n\u003e - [Audit Log Streaming](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise)\n\u003e - Access the Audit Log directly via our APIs\n\u003e   - [REST API: Audit Log](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/audit-log?apiVersion=2022-11-28)\n\u003e   - [GraphQL: Audit Log](https://docs.github.com/en/enterprise-cloud@latest/graphql/reference/unions#organizationauditentry)\n\u003e - Query the Audit Log APIs via our [`gh` CLI](https://cli.github.com/manual/gh_api)\n\n# CLI for the Audit Log using GHEC\n\nThis CLI made in node helps on querying the audit log. It can query the full\naudit providing all the data the API can serve, or, given a cursor, it can\nprovide the newest entries from that specific moment.\n\nYou can build an sh script on top of this one to store the data or query it.\n\n## CLI arguments\n\nThis script can take the following arguments:\n\n```shell\n\u003e node ghec-audit-log-cli.js \"--help\"\n\nUsage: audit-log-ghec-cli [options]\n\nOptions:\n  -v, --version             Output the current version\n  -t, --token \u003cstring\u003e      the token to access the API (mandatory)\n  -o, --org \u003cstring\u003e        the organization we want to extract the audit log from\n  -cfg, --config \u003cstring\u003e   location for the config yaml file. Default \".ghec-audit-log\" (default: \"./.ghec-audit-log\")\n  -p, --pretty              prints the json data in a readable format (default: false)\n  -l, --limit \u003cnumber\u003e      a maximum limit on the number of items retrieved\n  -f, --file \u003cstring\u003e       the output file where the result should be printed\n  -a, --api \u003cstring\u003e        the version of GitHub API to call (default: \"v4\")\n  -at, --api-type \u003cstring\u003e  Only if -a is v3. API type to bring, either all, web or git (default: \"all\")\n  -c, --cursor \u003cstring\u003e     if provided, this cursor will be used to query the newest entries from the cursor provided. If not present, the result will contain all the audit log from the org\n  -s, --source              indicate what source to use for the audit logs. Valid options are enterprise or org. Default: \"org\"\n  -h, --help                display help for command\n\n```\n\nOptionally, you can create a file called `.ghec-audit-log` that supports\nthe **token** and **organization**, and omit the parameters while running the script.\n\n```yaml\norg: org-name\ntoken: xxxxxxxxxxxxxxxx\n```\n\n### About tokens and scopes\n\nTo use this CLI you will need to use a [personal access token (PAT)](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with the correct scopes. The scopes will change depending on what source you are going to use to export the audit logs.\n\nEndpoint source | Needed scopes\n--------------- | -------------\nUser            | `read:user`\nRepository      | `public_repo`\nOrganization    | `read:org`\nEnterprise      | `admin:enterprise`\n\nIf you are running this utility against a GHEC account, we recommend that you create your PAT with both scopes.\n\n## Running the CLI\n\nExecute the command using node or npm\n\n### Pre-requisites\n\n Install the node dependencies:\n\n```shell script\n$ git clone https://github.com/github/ghec-audit-log-cli\n$ cd ghec-audit-log-cli\n$ npm install\n```\n\n### npm\n\n```shell script\n$ npm run start -- --pretty\n```\n\n### node\n\n```shell script\n$ node ghec-audit-log-cli --pretty\n```\n\n## Installing as CLI\n\nOptionally you can install the script as a CLI and run it from the command line. To install it run:\n\n```shell script\n$ git clone https://github.com/github/ghec-audit-log-cli\n$ cd ghec-audit-log-cli\n$ npm link\n```\n\nThen you can execute the script as a CLI using:\n\n```shell script\n$ ghec-audit-log-cli -v\n```\n\n## Forwarding the log using GitHub Actions\n\nOne of the most common uses of the CLI is to forward the log using GitHub actions. You can\nuse as an starter workflow the ones provided in this repository for [v3](workflows/forward-v3-workflow.yml) or [v4](workflows/forward-v4-workflow.yml)\nand integrate it with your favorite service.\n\nThis workflow:\n\n- Runs periodically\n- Grabs any existing cursor as the last item grabbed from the log\n- Grabs the latest changes from the audit log\n- Forwards those changes to a service\n- Commits the latest cursor for the next call\n\n## Releases\n\nTo create a new release of the `ghec-audit-log-cli`:\n\n- Create a new release [in the repository](https://github.com/github/ghec-audit-log-cli/releases/new) using [semantic versioning](https://semver.org/)\n- Add the changelog details for the version\n- Submit it as a draft until it's ready to be published\n\n## How to use\n\n- Clone the *audit-log-cli* repository to your Organization\n- Set the **Action** to run on Cron\n- Create the **GitHub Secrets** needed to authenticate\n- Enjoy the logs\n\n## Secret Values\n\nYou will need to create the following **Github Secrets** To allow the tool to work:\n\n- **AUDIT_LOG_TOKEN**\n  - This is a [GitHub Personal Access Token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) used to authenticate to your Organization\n  - **Note:** The token must have the *admin:org* set to be able to pull information\n- **ORG_NAME**\n  - Name of the **GitHub** Organization to poll the audit log\n- **WEBHOOK_URL**\n  - URL to a service where the generated *json* information is piped\n- **COMMITTER_EMAIL**\n  - Email address for one of the primary committers on the repository\n\n### Notes\n\n- Modify the polling workflow to run on a cron, instead of push\n- The `Organization` **must** be a part of a **GitHub** Enterprise or the API calls will fail\n- The `Personal Access token` **must** be SSO enabled to query the GitHub Organization if it is enabled\n\n## Disclaimer\n\n1. This CLI provides all the events that the GitHub API offers through the [GraphQL API](https://docs.github.com/en/free-pro-team@latest/graphql/overview/schema-previews#audit-log). This is a subset of all the events that you can see through the UI.\n2. This tool will be deprecated when GitHub adds a forwarding behavior on GHEC.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fghec-audit-log-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithub%2Fghec-audit-log-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithub%2Fghec-audit-log-cli/lists"}