CLI utility to interact with GitHub Advanced Security ("GHAS").
It allows to deploy GHAS features individually or at scale, while taking into account each repository configuration.
More specifically, it automates the following:
- Ensure GitHub Actions are properly enabled for the repository (required for CodeQL),
- Enable Secret Scanner, and create an informative issue
- Enable Push Protection, and create an informative issue
- Enable Dependabot and create an informative issue
- Enable the Dependency Reviewer and create an informative issue
- Open a PR to deploy Code Scanning with a custom configuration tuned for each repository's languages and non-main default branch (e.g
mainormasterare not hardcoded, it determines the proper default branch automatically), - Cleanup legacy Mend issues on each repository
Each of these actions can also open an issue explaining each feature, how to use them, and what to eventually do before they are fully enabled.
See ./templates to get an overview of these issues!
To follow your deployment, ghas-cli outputs results in a csv file indicating the deployment status of each feature for each repository.
You can work on a single repository or on thousands of them. In that case, ghas-cli does its best to overcome GitHub's rate limits...
Builds are available in the Releases tab.
- Pypi:
pip install ghas-cli- Manually:
python -m pip install /full/path/to/ghas-cli-xxx.whl
# e.g: python3 -m pip install Downloads/ghas-cli-0.5.0-none-any.whlghas-cli -h or see the wiki.
Install Poetry first, then:
make dev- Bump the version number:
poetry version x.x.x - Update the
__version__field insrc/cli.pyaccordingly.
Requires syft to be installed to generate the sbom.
- Bump the version number as described above
make depsto update the dependenciesmake releaseto build the packagesgit commit -a -S Bump to version 1.1.2andgit tag -s v1.1.2 -m "1.1.2"- Upload
dist/*,checksums.sha512andchecksums.sha512.ascto a new release in GitHub. - Upload to PyPi:
poetry publish.
GitHub suggests using ghas-enablement to deploy GHAS at scale. Unfortunately, it has many limitations that make it a non viable tool as you understood if you read the beginning of this README, including:
- Only support for one default branch name: If you repositories are mixing
master,main,dev,test... as the repository default branch, you will end up creating the CodeQL config to another branch than the default's.ghas-cliuses the correct default branch for each repo.
- Non per-language CodeQL workflow configuration: You can only automate the PR creation for a single CodeQL workflow config file. Your repositories are likely a mix of many languages combinations, so pushing a single workflow configuration accross an organization is not efficient.
ghas-cliadjusts the CodeQL configuration to each repository languages.
- Doesn't check if Actions are properly enabled on your organization repositories: Running
ghas-enablementwhen Actions are disabled will fail.ghas-climakes sure Actions are enabled before doing anything else. If they're not, it enables them.
- More broadly,
ghas-clicreates more educative issues on each repositories. It also provides more flexibility with an extensive CLI to pipe in/out data.
This repository is provided as-is and isn't bound to Malwarebytes' SLA.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent