Get secret scanning alerts in orgs
This repo demonstrates how to use the GitHub code scanning API to export all the alerts on an organization to a CSV file. This makes it possible for a security team to quickly audit the known vulnerabilities across their organizations that are using GitHub Advanced Security.
Limitation: there is no way to get the commit SHA and line number where the secret has been identified.
Notes:
- the secret is hashed to not disclose it but still be able to identify a secret committed in multiple places.
- this version is for GHES only
Running the script
- Clone this repo to your local machine
- Create a file called .env
- Create a GitHub Token which has the
repo
>security_events
permission. (repo
permission is needed for private repo) - Add the token to your .env file as shown
GH_AUTH_TOKEN=inserttokenhere
- For GHES, add a BASE_URL to .env like BASE_URL=https://mygithubserver.com/api/v3 and uncomment line 10 in get-secret-scanning-alerts-in-org-sample.js
- Run
npm install
to install node dependencies - Run
node get-secret-scanning-alerts.js orgnames > output.csv
whereorgnames
is a list of target org names. Note, if SSO is enabled on your org, you will need to SSO enable your token
Next step
Create a workflow that upload the result as an Artifact. In a private repo of course.
License
This project is licensed under the MIT License.