Show HN: GitHub Org Audit Tool (opens in new tab)

(github.com)

57 pointsbenfrancom3y ago23 comments

This is a tool for auditing github organizations including their repos, users, and teams. It is useful for compliance, security and auditing.

23 comments

megamorf3y ago

Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model.

LukeShu3y ago

IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics.

For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company".

Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.

Anyway, here's my audit script for such things: https://github.com/datawire/collaborators

megamorf3y ago

That's actually incorrect. Check out this query: https://gist.github.com/megamorf/9c105ac9cc13a93b5449a7b683d...

I have added two output examples. One for when you only want to find users that have been directly assigned to a repo (DIRECT) and one that shows how their roles and team memberships decide what permissions they have on a repo.

1 more reply

sigio3y ago

Having write already implies that you have read, it't not something related to being in a team with read, it's just that write always gives you read. The permission levels are pull(read), triage(read+issues/pr's), push(read+write), maintain, and admin

1 more reply

pquerna3y ago

i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com

kataklasm3y ago

I believe you might have a typo in your mail? Just making sure you're not missing out on something useful :)

1 more reply

benfrancomOP3y ago

Nice, do you have anything you can share?

candiddevmike3y ago

Why audit when you can declare all of this in Terraform? https://registry.terraform.io/providers/integrations/github/...

gtirloni3y ago

Terraform doesn't know what it doesn't know. It only cares about stuff you defined in code and ignores all the rest. You can't use it for auditing purposes, except in its narrow scope.

coenhyde3y ago

As much a fan of Terraform I am. If you didn't started defining your repos in Terraform from day 0, importing hundreds of repos, members, permission sets would be quite a lot more work than running this audit tool.

andrewstuart23y ago

And quite frankly, terraform is great at first, and maybe for smaller projects, but for larger cases it becomes unmaintainable and unrefactorable pretty quickly.

playingalong3y ago

And here comes Terraformer: https://github.com/GoogleCloudPlatform/terraformer It doesn't import anything, but generates the .tf files for you.

Disclaimer: I have used that, but not for GitHub.

nikolay3y ago

I use that provider - it's one of the buggiest Terraform providers ever!

maartenh3y ago

Awesome! I built something like this for $JOB-1 too. Unfortunately didn't get to open source this before I left.

I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams.

atonse3y ago

How about using steampipe for this?

nathanwallace3y ago

Thanks atonse for the shout out!

Steampipe [1] is an open source CLI to query your cloud resources (e.g. GitHub, AWS, Splunk, etc) with SQL. The GitHub plugin has 44 tables to query [2].

The "GitHub Sherlock" mod includes 34 automated controls for organization, repo and issue best practices. The "GitHub Compliance" mod has 35 automated controls for supply chain security. Mods are written in HCL + SQL. [3]

1 - https://steampipe.io 2 - https://hub.steampipe.io/plugins/turbot/github 3 - https://hub.steampipe.io/mods?q=github

FBISurveillance3y ago

Quick feedback: Just noticed that you can get rid of one setup step at https://steampipe.io/downloads - you don't need to brew tap & brew install, you can just use one command: `brew install turbot/tap/steampipe` without doing `brew tap` first.

1 more reply

benfrancomOP3y ago

Thanks for sharing! Love these other options!

serge19783y ago

This is super helpful!

j / k navigate · click thread line to collapse

23 comments

megamorf3y ago

LukeShu3y ago

IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics.

Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.

Anyway, here's my audit script for such things: https://github.com/datawire/collaborators

megamorf3y ago

That's actually incorrect. Check out this query: https://gist.github.com/megamorf/9c105ac9cc13a93b5449a7b683d...

1 more reply

sigio3y ago

1 more reply

pquerna3y ago

i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com

kataklasm3y ago

I believe you might have a typo in your mail? Just making sure you're not missing out on something useful :)

1 more reply

benfrancomOP3y ago

Nice, do you have anything you can share?

candiddevmike3y ago

Why audit when you can declare all of this in Terraform? https://registry.terraform.io/providers/integrations/github/...

gtirloni3y ago

Terraform doesn't know what it doesn't know. It only cares about stuff you defined in code and ignores all the rest. You can't use it for auditing purposes, except in its narrow scope.

coenhyde3y ago

andrewstuart23y ago

And quite frankly, terraform is great at first, and maybe for smaller projects, but for larger cases it becomes unmaintainable and unrefactorable pretty quickly.

playingalong3y ago

And here comes Terraformer: https://github.com/GoogleCloudPlatform/terraformer It doesn't import anything, but generates the .tf files for you.

Disclaimer: I have used that, but not for GitHub.

nikolay3y ago

I use that provider - it's one of the buggiest Terraform providers ever!

maartenh3y ago

Awesome! I built something like this for $JOB-1 too. Unfortunately didn't get to open source this before I left.

I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams.

atonse3y ago

How about using steampipe for this?

nathanwallace3y ago

Thanks atonse for the shout out!

Steampipe [1] is an open source CLI to query your cloud resources (e.g. GitHub, AWS, Splunk, etc) with SQL. The GitHub plugin has 44 tables to query [2].

1 - https://steampipe.io 2 - https://hub.steampipe.io/plugins/turbot/github 3 - https://hub.steampipe.io/mods?q=github

FBISurveillance3y ago

1 more reply

benfrancomOP3y ago

Thanks for sharing! Love these other options!

serge19783y ago

This is super helpful!

j / k navigate · click thread line to collapse