{"id":17233232,"url":"https://github.com/vanderaj/owasp-policy-scanner","last_synced_at":"2025-03-26T00:35:07.497Z","repository":{"id":92169818,"uuid":"375423081","full_name":"vanderaj/owasp-policy-scanner","owner":"vanderaj","description":"Check OWASP GitHub Repos for policy requirements and leading practices","archived":false,"fork":false,"pushed_at":"2021-08-06T16:20:31.000Z","size":52,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-30T21:26:31.397Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vanderaj.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-06-09T16:35:58.000Z","updated_at":"2021-08-06T16:20:33.000Z","dependencies_parsed_at":null,"dependency_job_id":"e1512b86-d520-4ecc-9592-9bfb1534b0a7","html_url":"https://github.com/vanderaj/owasp-policy-scanner","commit_stats":{"total_commits":15,"total_committers":2,"mean_commits":7.5,"dds":0.4666666666666667,"last_synced_commit":"d4cfa3b5888b883b62924f83f9ad574f971a0152"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vanderaj%2Fowasp-policy-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vanderaj%2Fowasp-policy-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vanderaj%2Fowasp-policy-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vanderaj%2Fowasp-policy-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vanderaj","download_url":"https://codeload.github.com/vanderaj/owasp-policy-scanner/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245566250,"owners_count":20636417,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-15T05:02:15.312Z","updated_at":"2025-03-26T00:35:07.446Z","avatar_url":"https://github.com/vanderaj.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# owasp-policy-scanner\n\nThis quick and dirty tool is the start of an API backend. It checks OWASP GitHub Repos for policy requirements and leading practices, and produces a JSON file with the results. It also dumps to the screen, but I'm assuming this will be headless.\n\n## Initial Setup \n\n### Clone repos \n\nThis tool does a lot of the heavy lifting using OWASP's GitHub repos and essentially grepping them for issues or obtaining metadata.\n\n```\nchmod +x clonerepos.sh\n./clonerepos.sh\n```\n\nThis script queries GitHub's public search API sufficient times for up to 400 repos, and creates a file called \"chapters_all.txt\" and a folder called \"chapters\". Once all repos have been de-duped, it fires off git to clone all these repos. Once the repos are cloned, you can delete the chapters_all.txt file. \n\n### Get a GitHub key\n\nGitHub APIs have a low number of API requests in a period before you get slowed down. You're gonna need a lot more. Login to your GitHub account, and obtain an oAuth token for API access, which will give you 5000 requests in an hour. You will need to copy this token somewhere safe like a Password Manager, because you're never gonna see it again. Do not check this token in, provide it via a command line switch. A future version of this tool will accept this value via an environment variable, but that's not currently implemented. \n\n### Compile the tool\n\nInstall Go from the usual places for your platform\n\n```\ngo build\n```\n\nThis produces a binary called \"scanner\". \n\n``` \n./scanner -help\nUsage of ./scanner:\n  -build\n        Build Jekyll site (slow, may require super user privs)\n  -chapter string\n        Scan a single chapter\n  -githubkey string\n        Set a GitHub API access token\n  -gitpull\n        Update and force reset GitHub repos (slow) (default true)\n  -meetup\n        Show Meetup Group status (slow)\n  -pages\n        Show chapter page status\n  -password string\n        Meetup Password\n  -policy\n        Only show potential policy violations\n  -username string\n        Meetup Username\n```\n\nThe tool doesn't use so many Meetup queries (yet) to need a Meetup API key, but it will pause when it runs out of requests. This pause is not long, so no message will be shown. If you run the tool A LOT, you will notice that GitHub forces the tool to sleep for up to 60 minutes at a time. So run it like once a day with the -meetup or -pages flag, otherwise the tool will never finish. \n\n## Usage\n\n### Comprehensive scan with all the bells and whistles\n\nThis will take a LOT of time and need a GitHub API token. The results will be saved in the scanner_results.json file, but you can watch progress on the console or go make an espresso.\n\n```\n% ./scanner -githubkey xxxxxxxx -meetup -gitpull -pages\nOWASP Policy Scanner Tool\n\nScanning chapter  www-chapter-aarhus\nInfo: Updating www-chapter-aarhus\nAlready up to date.\nInfo: GitHub Pages published for www-chapter-aarhus\nInfo: .gitignore does not have _site in file chapters/www-chapter-aarhus/.gitignore\nInfo: .gitignore does not have Gemfile.lock in file chapters/www-chapter-aarhus/.gitignore\nInfo: Meetup OWASP-Aarhus-Chapter exists, is active, 274 members, 0 upcoming events, 7 past events\nInfo: Meetup metadata and JavaScript present\n\nScanning chapter  www-chapter-abidjan\nInfo: Updating www-chapter-abidjan\nAlready up to date.\nInfo: GitHub Pages published for www-chapter-abidjan\nInfo: .gitignore does not have _site in file chapters/www-chapter-abidjan/.gitignore\nInfo: .gitignore does not have Gemfile.lock in file chapters/www-chapter-abidjan/.gitignore\nLow: Example tab found at: chapters/www-chapter-abidjan/tab_example.md\n\nScanning chapter  www-chapter-abu-dhabi\n...\n```\n### Running it on a single chapter\n\nYou can run the tool across a single chapter:\n\n```\n% ./scanner -githubkey xxxxxxxx -meetup -gitpull -pages -chapter www-chapter-london\nOWASP Policy Scanner Tool\n\nScanning chapter  www-chapter-london\nInfo: Updating www-chapter-london\nAlready up to date.\nInfo: GitHub Pages published for www-chapter-london\nInfo: .gitignore does not have _site in file chapters/www-chapter-london/.gitignore\nInfo: .gitignore does not have Gemfile.lock in file chapters/www-chapter-london/.gitignore\nInfo: Meetup OWASP-London exists, is active, 1202 members, 0 upcoming events, 25 past events\nInfo: Meetup metadata and JavaScript present\nHigh: Old individual membership link in chapters/www-chapter-london/info.md on line 2\nLow: Old wiki link found in chapters/www-chapter-london/info.md on line 2\nHigh: Old donate mechanism in chapters/www-chapter-london/tab_pastevents.md on line 394\nHigh: Old conference policy in chapters/www-chapter-london/tab_pastevents.md on line 287\nHigh: Old conference policy in chapters/www-chapter-london/tab_pastevents.md on line 424\nHigh: Old conference policy in chapters/www-chapter-london/tab_pastevents.md on line 533\nHigh: Old conference policy in chapters/www-chapter-london/tab_pastevents.md on line 605\nLow: Old wiki link found in chapters/www-chapter-london/tab_pastevents.md on line 287\n```\n### Just the policy, ma'am\n\nThe Chapter Policy contains things chapter leaders should be doing right. This is not easy with Jekyll and often people forget. So this flag just outputs policy requirements. \n\n```\n% ./scanner -githubkey xxxxxx -meetup -gitpull -pages -chapter www-chapter-ankara -policy \nOWASP Policy Scanner Tool\n\nScanning chapter  www-chapter-ankara\nAlready up to date.\nPOLICY: GitHub Pages are disabled for www-chapter-ankara\nPOLICY: www-chapter-ankara has 1 leaders\nPOLICY: Meetup Group does not exist for OWASP-Ankara-Chapter\nPOLICY: www-chapter-ankara has 0 leaders\n```\n\n### Quick and Dirty Incremental scan\n\nRun the tool with no flags\n\n```\n% ./scanner\n[ lots and lots of output truncated]\n```\n\nThis mode does not update the GitHub repos, and makes no API calls, so it's fast. \n\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvanderaj%2Fowasp-policy-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvanderaj%2Fowasp-policy-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvanderaj%2Fowasp-policy-scanner/lists"}