Security-ghas-cli

CLI utility to interact with GHAS.

Installation

Builds are available in the Releases tab.

python -m pip install /full/path/to/ghas-cli-xxx.whl

# e.g: python3 -m pip install Downloads/ghas-cli-0.5.0-none-any.whl

ghas-cli -h or see the wiki.

make release

Requires syft to be installed to generate the sbom.

Bump the version number as described above
make deps to update the dependencies
make release to build the packages
git commit -a -S Bump to version 1.1.2 and git tag -s v1.1.2 -m "1.1.2"
Upload dist/*, checksums.sha512 and checksums.sha512.asc to a new release in Github.

Github suggests using ghas-enablement to deploy GHAS at scale. Unfortunately, it has many limitations that make it a non viable tool:

Only support for one default branch name: If you repositories are mixing master, main, dev, test... as the repository default branch, you will end up creating the CodeQL config to another branch than the default's.
- ghas-cli uses the correct default branch for each repo.
Non per-language CodeQL workflow configuration: You can only automate the PR creation for a single CodeQL workflow config file. Your repositories are likely a mix of many languages combinations, so pushing a single workflow configuration accross an organization is not efficient.
- ghas-cli adjusts the CodeQL configuration to each repository languages.
Doesn't check if Actions are properly enabled on your organization repositories: Running ghas-enablement when Actions are disabled will fail.
- ghas-cli makes sure Actions are enabled before doing anything else. If they're not, it enables them.
More broadly, ghas-cli creates more educative issues on each repositories. It also provides more flexibility with an extensive CLI to pipe in/out data.

This repository is provided as-is and isn't bound to Malwarebytes' SLA.