Home

Welcome to the ghas-cli wiki!

ghas-cli works better with a token that has repo and workflow scopes. The user would better be an org:admin to enable Actions on all repositories.

GHAS deployment on a single repository

1. Make sure Github Actions are enabled and set to Selected:

ghas-cli actions set_permissions -o Malwarebytes -t ghp_xxx -r Security-GHAS-POC-test-api -e True -a selected

2. Enable Secret Scanner and create an informative issue:

ghas-cli repositories enable_ss -o Malwarebytes -t ghp_xxx -r Security-GHAS-POC-test-api 
ghas-cli issues create -n "About Secret Scanner" -r Security-GHAS-POC-test-api -o Malwarebytes -t ghp_xxx ./templates/secret_scanner.md

3. Deploy Secret Scanner Push Protection and create an informative issue:

ghas-cli repositories enable_ss_protection -o Malwarebytes -t ghp_xxx -r Security-GHAS-POC-test-api
ghas-cli issues create -n "About Secret Push Protection" -r Security-GHAS-POC-test-api -o Malwarebytes -t ghp_xxx ./templates/secret_scanner_push_protection.md

4. Deploy Dependabot+Dependency Reviewer and create an informative issue:

ghas-cli repositories create_dep_enforcement_pr -o Malwarebytes -t ghp_xxx -r Security-GHAS-POC-test-api
ghas-cli repositories enable_dependabot -o Malwarebytes -t ghp_xxx -r Security-GHAS-POC-test-api
ghas-cli issues create -n "About Dependabot" -r Security-GHAS-POC-test-api -o Malwarebytes -t ghp_xxx ./templates/dependabot.md

4.a Close issues created by Mend:

ghas-cli issues close_mend -t ghp_xxx -o Malwarebytes -r Security-GHAS-POC-test-api

5. Deploy CodeQL and create and educational issue:

ghas-cli repositories create_codeql_pr -o Malwarebytes -t ghp_xxx -b "appsec-ghas-codeql_enable" -r Security-GHAS-POC-test-api
ghas-cli issues create -n "About Security code scanning" -r Security-GHAS-POC-test-api -o Malwarebytes -t ghp_xxx ./templates/codeql.md

GHAS deployment on many repositories

1. Gather the list of repositories, and write the name one per line to a file.

ghas-cli repositories list -o Malwarebytes -t ghp_xxx -s all -a False -d False -l "" -b "" -r "" -f json repos.json
# Keep the repositories you want.

2. Enable the features you want:

ghas-cli mass deploy --actions_enable True --secretscanner True --pushprotection True --dependabot True --codeql True --reviewer True --mend True -t ghp_xxx -o Malwarebytes repos.txt output.csv

output.csv will then contain the result, e.g for only enabling Actions and CodeQL, the output looks like this:

# Organization, repo_name, Actions Enabled?, SS enabled?, PushProtection Enabled?, Dependabot Enabled?, CodeQL enabled?, Dep Reviewer Enabled?m Issue SS created?, Issue PP created?, Issue Dependabot created?, Issue CodeQL created?, Mend issues closed
Malwarebytes,Security-GHAS-POC-test-api-8,True,None, None, None, True, None, None, None, None, https://github.com/Malwarebytes/Security-GHAS-POC-test-api/issues/7, 0
Malwarebytes,Security-GHAS-POC-test-api-7,True,None, None, None, True, None, None, None, None, https://github.com/Malwarebytes/Security-GHAS-POC-test-api/issues/11, 5
Malwarebytes,Security-GHAS-POC-test-api-6,True,None, None, None, True, None, None, None, None, https://github.com/Malwarebytes/Security-GHAS-POC-test-api/issues/42, 10
Malwarebytes,Security-GHAS-POC-test-api-5,True,None, None, None, True, None, None, None, None, https://github.com/Malwarebytes/Security-GHAS-POC-test-apis/issues/32, 0
Malwarebytes,Security-GHAS-POC-test-api-4,True,None, None, None, True, None, None, None, None, https://github.com/Malwarebytes/Security-GHAS-POC-test-api/issues/27, 3
Malwarebytes,Security-GHAS-POC-test-api-3,True,None, None, None, True, None, None, None, None, https://github.com/Malwarebytes/Security-GHAS-POC-test-api/issues/10, 2
Malwarebytes,Security-GHAS-POC-test-api-2,True,None, None, None, True, None, None, None, False, None, 1
Malwarebytes,Security-GHAS-POC-test-api-1,True,None, None, None, False, None, None, None, None, None, 0