/github-pr-auditor

A continuous auditing system that examines pull requests using GitHub's search syntax

Primary LanguageRubyMIT LicenseMIT

GitHub PR Auditor

This tool audits pull requests in order to determine whether or not they are considered compliant. This solution is geared more towards those that do not have access to the Audit Log API (i.e. non-Enterprise users) or simply want a canned solution for searching for and alerting upon non-compliant pull requests.

If a pull request is found by GITHUB_SEARCH_QUERY, it will log it as a non-compliant pull request and provide a link to it.

Getting Started

Configuration

The following environment variables are required at runtime:

Variable Description
AFTER_DATE A date that follows the ISO8601 standard. Defaults to 1 day ago.
BEFORE_DATE A date that follows the ISO8601 standard. Defaults to the present time.
GITHUB_API_TOKEN A Github Personal Access Token (PAT) that has the repo scope.
GITHUB_ORG_NAME The GitHub Org name to scan.
GITHUB_SEARCH_QUERY The search query syntax. Defaults to is:pr is:merged review:required

To read more about how GitHub's search syntax works, see understanding the search syntax.

Execution

This requires ruby to be installed on your machine. It was tested on Ruby 2.7. Other versions may work.

bundler install
GITHUB_API_TOKEN='<INSERT-PAT-HERE>' GITHUB_ORG_NAME='your-github-org' ./src/auditor.rb

Deploy to AWS

The auditor can also be deployed to AWS via aws-sam-cli. It requires an existing S3 bucket.

It works by running the auditor code in AWS Lambda on a schedule (Amazon CloudWatch Events), keeping track of the last successful run time in a Parameter Store parameter.

diagram

This also includes CloudWatch Alarms that will alarm upon:

  • Any non-compliant pull request
  • Missing logs (if no logs appear for 24 hours)
  • Generic runtime errors

Requirements

Running the deploy script

For example, to deploy the CloudFormation stack:

make deploy-staging \
  STACK_NAME=github-pr-auditor \
  BUCKET_NAME=my-sam-bucket \
  REGION=us-east-1 \
  SAM_PARAMS_PATH=sam-params/example.cfg

Destroying

To destroy all of the resources provisioned:

make destroy STACK_NAME=github-pr-auditor

Development

Setup

To setup the dev environment, run:

bundle install --with development
pre-commit install # optional (requires pre-commit)

Tracking

All emergency changes are tracked in the following spreadsheet https://docs.google.com/spreadsheets/d/1WYo3Q_KPXHyznVflUuTigJxlepykZQoQZ_X8UbPFebk/edit#gid=0

If this tool is triggered, an entry must be made to the spreadsheet.