# README
Github Analyzer
Audits a GitHub organization for potential security issues. The tool is currently in pre-alpha stage and only supports limited functionality, however we will be actively adding checks in the upcoming months, and welcome feature requests or contributions! Once the analysis is complete, a static HTML with the summary of the results is rendered in localhost:3000 as shown below:
Available Checks
| Name | Category | Severity | Resource Affected |
|---|---|---|---|
| Application restrictions disabled | Least Privilege | High | Organization |
| Insecure Webhook payload URL | Information Disclosure | High | Webhook |
| Advanced security disabled for new repositories | Tooling and Automation Configuration | Medium | Organization |
| Secret scanning disabled for new repositories | Tooling and Automation Configuration | Medium | Organization |
| Organization 2FA disabled | Authentication | Medium | Organization |
| Users without 2FA configured | Authentication | Low | User Account |
| Permissions overview for users | Least Privilege | Informational | User Account |
| OAuth application summary | Least Privilege | Informational | Organization |
Sample Output
For each issue identified, a JSON with associated information will be generated. A sample output snippet is as follows:
...
{
"id": "CONFIG_AS_1",
"name": "Secret scanning disabled for new repositories",
"severity": 3,
"category": "Information disclosure to untrusted parties",
"tags": [
"GitHub Advanced Security feature"
],
"description": "Secret scanning disabled for org testorg",
"resource": [
{
"id": "testorg",
"kind": "Organization"
}
],
"cwes": [
319
],
"remediation": "Pleasee see https://docs.github.com/en/github-ae@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories for how to enable secret scanning in your repositories"
},
{
"id": "AUTH_2FA_2",
"name": "Users without 2FA configured",
"severity": 2,
"category": "Authentication",
"description": "The following collaborators have not enabled 2FA: testuser1, testuser2",
"resource": [
{
"id": "testuser1",
"kind": "UserAccount"
},
{
"id": "testuser2",
"kind": "UserAccount"
}
],
"cwes": [
308
],
"remediation": "Please see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication for steps on how to configure 2FA for individual accounts"
}
...
How to run
You can see available options via the --help flag.
Running locally
- Install with:
go install -v github.com/crashappsec/github-analyzer/cmd/github-analyzer@latest - Run with:
$GOPATH/bin/github-analyzer \ --organization <your org name> \ --token "$GH_SECURITY_AUDITOR_TOKEN"
Running using Docker
-
After cloning the repo, build the container using:
docker compose build --no-cache -
Run
docker compose run \ --rm --service-ports \ github-analyzer \ --organization <your org name> \ --output output \ --token "$GH_SECURITY_AUDITOR_TOKEN"
Permissions
For API-based based checks, you need to pass in GitHub Token (either personal access token (PAT) or token derived from GitHub app installation) with the appropriate permissions. Example usage:
github-analyzer \
--organization <your org name> \
--token "$GH_SECURITY_AUDITOR_TOKEN"
See our wiki for instructions on setting up a token to be used with the github-analyzer.
For experimental scraping-based checks, you need to pass in your username and password, as well your two factor authentication one-time-password, as needed. Example usage:
github-analyzer \
--organization crashappsec \
--token "$GH_SECURITY_AUDITOR_TOKEN" \
--userPermissionStats \
--enableScraping \
--username "$GH_SECURITY_AUDITOR_USERNAME" \
--password "$GH_SECURITY_AUDITOR_PASSWORD" \
--otpSeed "$GH_SECURITY_AUDITOR_OTP_SEED"
See our wiki for instructions on setting up a token to be used with the analyzer.
Credits
Project was originally ported from Mike de Libero's auditor with the author's permission.