Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alixinne/ghsec

GitHub Security Linter, written in Rust
https://github.com/alixinne/ghsec

actions github rust security

Last synced: 27 days ago
JSON representation

GitHub Security Linter, written in Rust

Host: GitHub
URL: https://github.com/alixinne/ghsec
Owner: alixinne
License: mit
Created: 2023-12-26T00:31:33.000Z (11 months ago)
Default Branch: master
Last Pushed: 2024-09-17T17:56:36.000Z (2 months ago)
Last Synced: 2024-09-19T15:18:17.100Z (about 2 months ago)
Topics: actions, github, rust, security
Language: Rust
Homepage: https://vtavernier.github.io/ghsec/ghsec/
Size: 45.9 KB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 4
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Codeowners: CODEOWNERS

Awesome Lists containing this project

README

# [ghsec](https://github.com/alixinne/ghsec)

[![main](https://github.com/alixinne/ghsec/actions/workflows/main.yml/badge.svg?event=push)](https://github.com/alixinne/ghsec/actions/workflows/main.yml)

ghsec is an opinionated linter (with fixes) for public GitHub repository security. It helps
diagnose and fix potential security issues caused by GitHub repository settings that are
usually too open by default.

### Installation

#### From source

```bash
cargo install --force --locked ghsec
```

#### With [cargo-binstall](https://github.com/cargo-bins/cargo-binstall)

```bash
cargo binstall ghsec
```

### Usage

You will need a personal access token with admin access level to your repositories. Currently,
this tool has only been tested with classic tokens with the repo scope.

```bash
# Provide a GitHub personal access token with admin access to your repositories
export GITHUB_TOKEN=ghp_.....

# Run the checks
ghsec

# Run the checks and fix the issues, if possible
ghsec --fix

# You can also specify repositories to check using a unix-style glob
ghsec 'workflows-*'
```

### Supported checks

- [`branch_protections`](https://alixinne.github.io/ghsec/ghsec/checks/branch_protections/index.html):
check branch protection settings
- [`code_review_limits`](https://alixinne.github.io/ghsec/ghsec/checks/code_review_limits/index.html):
check account settings for code review limits
- [`default_workflow_permissions`](https://alixinne.github.io/ghsec/ghsec/checks/default_worfklow_permissions/index.html):
use secure defaults for "Default Workflow Permissions"
- [`fork_pull_request_workflows`](https://alixinne.github.io/ghsec/ghsec/checks/fork_pull_request_workflows/index.html):
check repository settings for public fork pull request workflow runs
- [`repository_secrets`](https://alixinne.github.io/ghsec/ghsec/checks/repository_secrets/index.html):
list repositories containing GitHub Actions secrets

## License

This project is licensed under the [MIT License](LICENSE).