Skip to content

crashappsec/github-analyzer

License OpenSSF Scorecard Go Report Card

Github Analyzer

Audits a GitHub organization for potential security issues. The tool is currently in pre-alpha stage and only supports limited functionality, however we will be actively adding checks in the upcoming months, and welcome feature requests or contributions! Once the analysis is complete, a static HTML with the summary of the results is rendered in localhost:3000 as shown below:

gh-analyzer

Available Checks

Name Category Severity Resource Affected
Application restrictions disabled Least Privilege High Organization
Insecure Webhook payload URL Information Disclosure High Webhook
Advanced security disabled for new repositories Tooling and Automation Configuration Medium Organization
Secret scanning disabled for new repositories Tooling and Automation Configuration Medium Organization
Organization 2FA disabled Authentication Medium Organization
Users without 2FA configured Authentication Low User Account
Permissions overview for users Least Privilege Informational User Account
OAuth application summary Least Privilege Informational Organization

Sample Output

For each issue identified, a JSON with associated information will be generated. A sample output snippet is as follows:

...
 {
  "id": "CONFIG_AS_1",
  "name": "Secret scanning disabled for new repositories",
  "severity": 3,
  "category": "Information disclosure to untrusted parties",
  "tags": [
   "GitHub Advanced Security feature"
  ],
  "description": "Secret scanning disabled for org testorg",
  "resource": [
   {
    "id": "testorg",
    "kind": "Organization"
   }
  ],
  "cwes": [
   319
  ],
  "remediation": "Pleasee see https://docs.github.com/en/github-ae@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories for how to enable secret scanning in your repositories"
 },
 {
  "id": "AUTH_2FA_2",
  "name": "Users without 2FA configured",
  "severity": 2,
  "category": "Authentication",
  "description": "The following collaborators have not enabled 2FA: testuser1, testuser2",
  "resource": [
   {
    "id": "testuser1",
    "kind": "UserAccount"
   },
   {
    "id": "testuser2",
    "kind": "UserAccount"
   }
  ],
  "cwes": [
   308
  ],
  "remediation": "Please see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication for steps on how to configure 2FA for individual accounts"
 }
...

How to run

You can see available options via the --help flag.

Running locally

  • Install with:
    go install -v github.com/crashappsec/github-analyzer/cmd/github-analyzer@latest
  • Run with:
    $GOPATH/bin/github-analyzer \
      --organization <your org name> \
      --token "$GH_SECURITY_AUDITOR_TOKEN"

Running using Docker

  • After cloning the repo, build the container using:

    docker compose build --no-cache
  • Run

    docker compose run \
        --rm --service-ports \
        github-analyzer \
            --organization <your org name> \
            --output output \
            --token "$GH_SECURITY_AUDITOR_TOKEN"

Permissions

For API-based based checks, you need to pass in GitHub Token (either personal access token (PAT) or token derived from GitHub app installation) with the appropriate permissions. Example usage:

github-analyzer \
    --organization <your org name> \
    --token "$GH_SECURITY_AUDITOR_TOKEN"

See our wiki for instructions on setting up a token to be used with the github-analyzer.

For experimental scraping-based checks, you need to pass in your username and password, as well your two factor authentication one-time-password, as needed. Example usage:

github-analyzer \
    --organization crashappsec \
    --token "$GH_SECURITY_AUDITOR_TOKEN" \
    --userPermissionStats \
    --enableScraping \
    --username "$GH_SECURITY_AUDITOR_USERNAME" \
    --password "$GH_SECURITY_AUDITOR_PASSWORD" \
    --otpSeed "$GH_SECURITY_AUDITOR_OTP_SEED"

See our wiki for instructions on setting up a token to be used with the analyzer.

Credits

Project was originally ported from Mike de Libero's auditor with the author's permission.