1 unstable release
0.5.0 | Dec 27, 2023 |
---|
#2279 in Development tools
33KB
477 lines
ghsec
ghsec is an opinionated linter (with fixes) for public GitHub repository security. It helps diagnose and fix potential security issues caused by GitHub repository settings that are usually too open by default.
Installation
From source
cargo install --force --locked ghsec
With cargo-binstall
cargo binstall ghsec
Usage
You will need a personal access token with admin access level to your repositories. Currently, this tool has only been tested with classic tokens with the repo scope.
# Provide a GitHub personal access token with admin access to your repositories
export GITHUB_TOKEN=ghp_.....
# Run the checks
ghsec
# Run the checks and fix the issues, if possible
ghsec --fix
# You can also specify repositories to check using a unix-style glob
ghsec 'workflows-*'
Supported checks
branch_protections
: check branch protection settingscode_review_limits
: check account settings for code review limitsdefault_workflow_permissions
: use secure defaults for "Default Workflow Permissions"fork_pull_request_workflows
: check repository settings for public fork pull request workflow runsrepository_secrets
: list repositories containing GitHub Actions secrets
License
This project is licensed under the MIT License.
Dependencies
~18–31MB
~477K SLoC