{"id":19561355,"url":"https://github.com/m-mizutani/ghaudit","last_synced_at":"2026-02-27T22:11:32.435Z","repository":{"id":57657798,"uuid":"461062673","full_name":"m-mizutani/ghaudit","owner":"m-mizutani","description":"CLI audit tool for GitHub organization with OPA/Rego","archived":false,"fork":false,"pushed_at":"2023-12-18T22:13:07.000Z","size":154,"stargazers_count":12,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-12-22T19:45:37.146Z","etag":null,"topics":["github","go","open-policy-agent","rego"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m-mizutani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-19T02:08:33.000Z","updated_at":"2024-02-06T16:43:34.000Z","dependencies_parsed_at":"2024-11-11T05:11:18.807Z","dependency_job_id":null,"html_url":"https://github.com/m-mizutani/ghaudit","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/m-mizutani/ghaudit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Fghaudit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Fghaudit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Fghaudit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Fghaudit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m-mizutani","download_url":"https://codeload.github.com/m-mizutani/ghaudit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m-mizutani%2Fghaudit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29917220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"ssl_error","status_checked_at":"2026-02-27T19:37:41.463Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github","go","open-policy-agent","rego"],"created_at":"2024-11-11T05:11:11.833Z","updated_at":"2026-02-27T22:11:32.403Z","avatar_url":"https://github.com/m-mizutani.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ghaudit [![Gosec](https://github.com/m-mizutani/ghaudit/actions/workflows/gosec.yml/badge.svg)](https://github.com/m-mizutani/ghaudit/actions/workflows/gosec.yml) [![Lint](https://github.com/m-mizutani/ghaudit/actions/workflows/lint.yml/badge.svg)](https://github.com/m-mizutani/ghaudit/actions/workflows/lint.yml) [![Test](https://github.com/m-mizutani/ghaudit/actions/workflows/test.yml/badge.svg)](https://github.com/m-mizutani/ghaudit/actions/workflows/test.yml)\n\nCLI audit tool for GitHub repositories with [OPA/Rego](https://www.openpolicyagent.org/docs/latest/policy-language/).\n\n![](https://user-images.githubusercontent.com/605953/155263397-5b0363df-6c24-4ad8-80c7-50fbe0c82176.png)\n\n## Features\n\n- Crawls GitHub repository meta data of your organization\n- Evaluates the meta data with policy written by [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) or inquiry to [OPA](https://github.com/open-policy-agent/opa) server\n- Exit with non-zero when detecting violation and notify the violation to Slack\n\n## Setup\n\n### 1) Create a new GitHub App\n\n1. Go to https://github.com/organizations/{your_org_name}/settings/apps and click `New GitHub App`\n2. Input required fields and grant following permissions. Then click `Create GitHub App`\n    - Repository permissions\n        - Administration: Read-only\n        - Content: Read-only\n        - Webhooks: Read-only\n3. Create key by clicking `Generate a private key` and save it.\n4. Move `Install App` page from left side bar and click `Install` button of the organization you want to install\n\nPlease note the following items\n\n- AppID: You can find it in https://github.com/settings/apps/{your_app_name}\n- InstallID: You can find it in installation page https://github.com/organizations/{your_org_name}/settings/installations/{Install ID}\n\n### 2) Creating policy by Rego\n\n#### Policy rules\n\n- Package name: `github.repo`\n- Input data\n    - `input.repo`: Repository data (a result of https://docs.github.com/en/rest/reference/repos#get-a-repository)\n    - `input.branches`: A list of branch (a result of https://docs.github.com/en/rest/reference/branches#list-branches)\n    - `input.collaborators`: A list of collaborator (a result of https://docs.github.com/en/rest/reference/collaborators#list-repository-collaborators)\n    - `input.hooks`: A list of webhooks (a result of https://docs.github.com/en/rest/reference/webhooks#list-repository-webhooks)\n    - `input.teams`: A list of team (a result of https://docs.github.com/en/rest/reference/repos#list-repository-teams)\n    - `input.timestamp`: Unix timestamp of scan\n- Result: Put detected violation\n    - `category`: Title to indicate violation category\n    - `message`: Describe violation detail\n\n#### Policy example\n\nExample 1. Check if collaborator does not have overly permissions\n\n```rego\npackage github.repo\n\nfail[res] {\n    user := input.collaborators[_]\n    true == [\n        user.permissions.maintain,\n        user.permissions.admin,\n    ][_]\n\n    res = {\n        \"category\": \"Collaborator must not have permissions of maintain and admin\",\n        \"message\": sprintf(\"%s has maintain:%v admin:%v\", [user.login, user.permissions.maintain, user.permissions.admin]),\n    }\n}\n```\n\nExample 2. Check if default branch is protected\n\n```rego\npackage github.repo\n\nfail[msg] {\n\tbranch := input.branches[_]\n    branch.name == input.repo.default_branch\n    branch.protected == false\n    msg := {\n        \"category\": \"default branch must be protected\",\n        \"message\": sprintf(\"default branch is %s\", [branch.name]),\n    }\n}\n```\n\n### 3) [Optional] Retrieve webhook URL of Slack\n\n`ghaudit` can notify a detected violation via Slack by incoming webhook. Setup incoming webhook according to https://api.slack.com/messaging/webhooks if you want.\n\n## Run ghaudit\n\n```bash\n$ export GHAUDIT_APP_ID=000000\n$ export GHAUDIT_INSTALL_ID=0000000\n$ export GHAUDIT_PRIVATE_KEY_FILE=xxxxxx.2022-02-18.private-key.pem\n$ export GHAUDIT_SLACK_WEBHOOK=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX\n$ ghaudit -o [your_org_name] -p ./policy\n```\n\n### Test and debug policy\n\n- `--dump`: Exports retrieved repository data to directory\n- `--load`: Imports local repository data exported by `--dump` option\n- `--log-level dump`: Output `print` result in Rego if you use local policy\n\nExample:\n```bash\n(skip export environment variables)\n$ ghaudit -o [your_org_name] -p ./policy --dump ./repo_data\n# output repository data to ./repo_data\n$ ls ./repo_data\nfoo-repo.json    baa-repo.json\n# if something wrong, update local Rego file(s), then\n$ ghaudit -o [your_org_name] -p ./policy --load ./repo_data --log-level debug\n# Re-evaluate updated policy with local data rapidly and output `print` function result also\n```\n\n### Options\n\n#### Required\n\n- `--app-id` (`GHAUDIT_APP_ID`): GitHub App ID\n- `--install-id` (`GHAUDIT_INSTALL_ID`): GitHub App install ID\n- GitHub App private key: Choose either one of following:\n    - `--private-key-file` (`GHAUDIT_PRIVATE_KEY_FILE`): Key file path\n    - `--private-key-data` (`GHAUDIT_PRIVATE_KEY_DATA`): Key data\n- Audit policy: Choose either one of following:\n    - Use local Rego file(s)\n        - `--policy`, `-p`: Rego policy directory. Scan `.rego` file recursively\n        - `--package`: Package name of policy. Default is `github.repo`\n    - Use OPA server\n        - `--server`, `-s`: OPA server URL\n        - `--header`, `-H`: HTTP header of inquiry request to OPA server\n- `--dump`: Specify directory to dump retrieved data from GitHub\n- `--load`: Specify directory to load retrieved data from GitHub\n\n#### Optional\n\n- `--format`, `-f`: Choose `text` or `json`.\n- `--output`, `-o`: Output file. `-` means stdout.\n- `--slack-webhook` (`GHAUDIT_SLACK_WEBHOOK`): Slack incoming webhook URL.\n- `--fail`: Exit with non-zero when detecting violation\n- `--thread`: Specify number of thread to retrieve repository meta data\n- `--limit`: Specify limit number of auditing repository\n\n## License\n\nApache License 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Fghaudit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm-mizutani%2Fghaudit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm-mizutani%2Fghaudit/lists"}