/warden-vulnerability-auditor

A tool for auditing repositories for specific GitHub Vulnerability Advisories

Primary LanguageJavaScript

Vulnerability Auditor

GitHub Vulnerability Auditor is a command-line tool to audit your GitHub repositories for GitHub Security Advisories ( GHSA). It takes in a list of GitHub Security Advisories and a time threshold in months and returns a CSV and JSON file containing all of your repositories affected by the list of GHSA's you provided, as well as the last time the repository received a commit to its default branch and whether the last commit is older than the time threshold you provided.

Download the latest binaries from this link: https://github.com/lindluni/warden-vulnerability-auditor/releases

Example Usage:

Usage: vulnerability-auditor [options]

Options:
  -V, --version             output the version number
  -t, --token <string>      GitHub personal access token
  -o, --org <string>        GitHub organization
  -h, --threshold <number>  Months since last commit
  -i, --ids <items>         Comma-separated list of GHSA IDs
  -u, --url <string>        GitHub Enterprise URL
  --help                    display help for command

vulnerability-auditor -t fake-token -o fake-org -h 12 -i GHSA-1234,GHSA-5678

You may set the --url flag to use GitHub Enterprise instead of GitHub.com.

Will retrieve all repositories in the fake-org organization that contain the vulnerabilities GHSA-1234 and GHSA-5678 and will flag those repos that have NOT been updated in the last 12 months.

NOTE: You may retrieve the GHSA IDs from the GitHub Security Advisory page By selecting the vulnerability and copy-pasting the GHSA ID from the URL.