Repo Audit

Overview#

Repository | View on Marketplace

This action will audit every repository in an organization. It features automatic fetching of repositories, policies execution and reporting.

Reports are automatically uploaded for GitHub Advanced Security-enabled repositories as well as written to the disk to use with other tools.

Setup#

- name: Audit
  uses: reposaur/repo-audit-action@v0.1.0
  with:
    # Paths to policies or directory of policies (one path per line).
    # Default: ${{ github.workspace }}
    policy: ''

    # Path to the output directory to where SARIF reports will be written.
    # Default: ${{ github.workspace }}/.reposaur
    output: ''

    # Maximum amount of errors that Reposaur can encounter before
    # aborting policy execution. If the value is 0, execution will never
    # stop on errors.
    # Default: 0
    max-errors: ''
  env:
    # A GitHub Token that can list your organization's repositories
    # and upload SARIF reports to Code Scanning.
    GITHUB_TOKEN: ''

Example#

Since this action is meant to run for the whole organization, we usually create a policy repository to hold both the workflow and our custom policies. See reposaur/policy for an example.

The example below will run on every push and everyday at 23h00 UTC and can also be triggered manually.

name: Audit

on:
  push:
  schedule:
    - cron: 0 23 * * *
  workflow_dispatch:

jobs:
  audit:
    name: Audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          repository: reposaur/policy

      - id: app-token
        name: Authenticate
        uses: getsentry/action-github-app-token@v1
        with:
          app_id: ${{ secrets.MY_SECURITY_APP_ID }}
          private_key: ${{ secrets.MY_SECURITY_APP_PRIVATE_KEY }}

      - name: Audit
        uses: reposaur/repo-audit-action@main
        env:
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}