Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model.
IME, the problem with the GraphQL API is that it does a poor job of indicating where permissions came from, and you have to fall back to bad heuristics.
For example, if team="company" has "READ", and team="company/dev" has "WRITE", and Bob is in team="company/dev" but not team="company", then Bob will have both "READ" and "WRITE" because of his membership in team="company/dev"; the API will give no indication that the "READ" indirectly came from team="company".
Also, the permissions that the PAT needs in order for GraphQL to even list those things is excessive.
I have added two output examples. One for when you only want to find users that have been directly assigned to a repo (DIRECT) and one that shows how their roles and team memberships decide what permissions they have on a repo.
Having write already implies that you have read, it't not something related to being in a team with read, it's just that write always gives you read.
The permission levels are pull(read), triage(read+issues/pr's), push(read+write), maintain, and admin
i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com
Terraform doesn't know what it doesn't know. It only cares about stuff you defined in code and ignores all the rest. You can't use it for auditing purposes, except in its narrow scope.
As much a fan of Terraform I am. If you didn't started defining your repos in Terraform from day 0, importing hundreds of repos, members, permission sets would be quite a lot more work than running this audit tool.
And quite frankly, terraform is great at first, and maybe for smaller projects, but for larger cases it becomes unmaintainable and unrefactorable pretty quickly.
Awesome! I built something like this for $JOB-1 too. Unfortunately didn't get to open source this before I left.
I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams.
Steampipe [1] is an open source CLI to query your cloud resources (e.g. GitHub, AWS, Splunk, etc) with SQL. The GitHub plugin has 44 tables to query [2].
The "GitHub Sherlock" mod includes 34 automated controls for organization, repo and issue best practices. The "GitHub Compliance" mod has 35 automated controls for supply chain security. Mods are written in HCL + SQL. [3]
Quick feedback: Just noticed that you can get rid of one setup step at https://steampipe.io/downloads - you don't need to brew tap & brew install, you can just use one command: `brew install turbot/tap/steampipe` without doing `brew tap` first.
