EXAMINE YOUR GITHUB SECURITY SETTINGS
A few weeks ago we published a blog with tips and tricks for using Allstar, a tool created by Google to look at the security configuration of Github organizations. Allstar is now maintained by the Open Source Security Foundation.
In our previous post we explained what Allstar does, and does not, in terms of functionality, and highlighted some of its limitations, such as the lack of checks for multi-factor authentication, inactive organization admins and inactive GitHub apps. Github offers lots of security configuration options and is continuously adding more on a regular basis (such as the recent addition of security managers for each repo, which is currently in public beta). Navigating all the security and non-security settings that are relevant to your organization requires several hops across the GitHub UI and oftentimes teams do not know what settings they have enabled, what their posture really is, or what it should be. We believe that it is important to have a single-page view into all the important settings for your GitHub account, so that you can review the state of your organization and repositories easily.
Until GitHub supports such functionality natively, and in lack of a easy-to-use open-source tool that fit our needs (to the best of our knowledge - based on our research online), we decided to put together a tool that would eventually enable us to do the following:
Provide aggregate statistics for a given GitHub organization (information on user permissions, installed applications, oauth application settings, webooks etc.)
Report security-related issues, with an assorted taxonomy, severity, description, remediation, and CWE information
Allow users to specify custom checks, opt out from certain checks or findings, and export findings in a format that is easily picked up by github actions (e.g., JSON/SARIF). This functionality will in turn enable teams to enforce custom workflows / logic for each organization, and set up automated actions that check if any deviations from this workflows have occurred (e.g., if some admin user accidentally modified a security control or enabled too loose permissions).
Adding the above functionality to Allstar did not make sense given its current architecture. Instead, we deemed it is more appropriate (in terms of both scope and agile capabilities) to develop a separate tool, tailored to our needs (and hopefully yours!). The tool, called Github Analyzer, is written in Go and was inspired by code that Mike DeLibero had written when he was a security auditor for SalesForce. Currently it is primarily a PoC, but we wanted to develop it in the open, using feature requests and feedback from the community as early as possible. At its core, Github Analyzer connects to a Github organization using an access token and then using the Github API, pulls back a set of configuration information about the organization, users and repos. For data which is not available via the Github API we are using go-github’s scraping capabilities to fetch information directly from the UI, and so optionally you can pass in a username, password, and otp seed to enable logging in via the web interface. All of the data collected is analysed against some simple rules and written to a JSON file and an HTML file for easy reading.
The checks / statistics currently implemented are the following:
Are Application restrictions enabled
A list of all OAuth applications list with summary information about them
A list of potentially insecure Webhook payloads
Is advanced security enabled for new repositories
Is secret scanning enabled for new repositories
Is organizational 2FA enabled
A list of users without 2FA enabled
A list of all users and their current permissions
To install from your terminal use
go install -v github.com/crashappsec/github-analyzer/cmd/github-analyzer@latest
And then use the following to run
$GOPATH/bin/github-analyzer \
--organization <your org name> \
--token "$GH_SECURITY_AUDITOR_TOKEN" \
To install using Docker for clone the repo and from that directory run
docker compose build --no-cache
And then use the following to run
$GOPATH/bin/github-analyzer \
--organization <your org name> \
--token "$GH_SECURITY_AUDITOR_TOKEN" \
You find full instructions in the README and instructions about how to create your Github access tokens on the repo wiki here.
We hope you find this useful and look forward to you submitting feature requests, so that we can help your team have a better grip over your GitHub security settings! Despite the fact that the tool is being released as a call for feature requests primarily, any issues and PRs are welcome!. We have some suggestions already in the issues list and if you have any questions or ideas warranting broader feedback please feel free to get in touch using GitHub discussions.
Share