# ghas-cli
[](https://github.com/Malwarebytes/ghas-cli/actions/workflows/codeql-analysis.yml)
[](https://pepy.tech/project/ghas-cli)
[](https://pypi.org/project/ghas-cli)
[](https://github.com/malwarebytes/ghas-cli/graphs/contributors)
CLI utility to interact with [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) (_"GHAS"_).
It allows to deploy GHAS features individually or at scale, while taking into account each repository configuration.
More specifically, it automates the following:
* Ensure GitHub Actions are properly enabled for the repository (required for CodeQL),
* Enable [Secret Scanner](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning), and create an informative issue
* Enable [Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/protecting-pushes-with-secret-scanning), and create an informative issue
* Enable [Dependabot](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot) and create an informative issue
* Enable the [Dependency Reviewer](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/about-dependency-review) and create an informative issue
* Open a PR to deploy [Code Scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) with a custom configuration tuned for each repository's languages and _non-main default branch_ (e.g `main` or `master` are not hardcoded, it determines the proper default branch automatically),
* Cleanup legacy Mend issues on each repository
Each of these actions can also open an issue explaining each feature, how to use them, and what to eventually do before they are fully enabled.
See `./templates` to get an overview of these issues!
To follow your deployment, `ghas-cli` outputs results in a csv file indicating the deployment status of each feature for each repository.
You can work on a single repository or on thousands of them. In that case, `ghas-cli` does its best to overcome [GitHub's rate limits](https://docs.github.com/en/enterprise-cloud@latest/rest/rate-limit)...
## Installation
Builds are available in the [`Releases`](https://github.com/Malwarebytes/ghas-cli/releases) tab.
* Pypi:
```bash
pip install ghas-cli
```
* Manually:
```bash
python -m pip install /full/path/to/ghas-cli-xxx.whl
# e.g: python3 -m pip install Downloads/ghas-cli-0.5.0-none-any.whl
```
## Usage
`ghas-cli -h` or see the [wiki](https://github.com/Malwarebytes/ghas-cli/wiki).
## Development
### Build
[Install Poetry](https://python-poetry.org/docs/#installation) first, then:
```bash
make dev
```
### Bump the version number
* Bump the version number: `poetry version x.x.x`
* Update the `__version__` field in `src/cli.py` accordingly.
### Publish a new version
**Requires `syft` to be installed to generate the sbom.**
1. Bump the version number as described above
2. `make deps` to update the dependencies
3. `make release` to build the packages
4. `git commit -a -S Bump to version 1.1.2` and `git tag -s v1.1.2 -m "1.1.2"`
5. Upload `dist/*`, `checksums.sha512` and `checksums.sha512.asc` to a new release in GitHub.
6. Upload to [PyPi](https://pypi.org/project/ghas-cli/): `poetry publish`.
## Why not use `ghas-enablement`?
GitHub suggests using [ghas-enablement](https://github.com/NickLiffen/ghas-enablement) to deploy GHAS at scale. Unfortunately, it has many limitations that make it a non viable tool as you understood if you read the beginning of this README, including:
* Only support for one default branch name: If you repositories are mixing `master`, `main`, `dev`, `test`... as the repository default branch, you will end up creating the CodeQL config to another branch than the default's.
- `ghas-cli` uses the correct default branch for each repo.
* Non per-language CodeQL workflow configuration: You can only automate the PR creation for a single CodeQL workflow config file. Your repositories are likely a mix of many languages combinations, so pushing a single workflow configuration accross an organization is not efficient.
- `ghas-cli` adjusts the CodeQL configuration to each repository languages.
* Doesn't check if Actions are properly enabled on your organization repositories: Running `ghas-enablement` when Actions are disabled will fail.
- `ghas-cli` makes sure Actions are enabled before doing anything else. If they're not, it enables them.
* More broadly, `ghas-cli` creates more educative issues on each repositories. It also provides more flexibility with an extensive CLI to pipe in/out data.
# Miscellaneous
This repository is provided as-is and isn't bound to Malwarebytes' SLA.
Raw data
{
"_id": null,
"home_page": "https://github.com/Malwarebytes/ghas-cli",
"name": "ghas-cli",
"maintainer": null,
"docs_url": null,
"requires_python": "<4,>=3.7",
"maintainer_email": null,
"keywords": "security, cli, github, utility",
"author": "jboursier",
"author_email": "jboursier@malwarebytes.com",
"download_url": "https://files.pythonhosted.org/packages/13/26/a3f8f2a152e24198b920726ce73bdc3b0583777bfde59d7e88a97c341709/ghas_cli-1.6.1.tar.gz",
"platform": null,
"description": "# ghas-cli\n\n[](https://github.com/Malwarebytes/ghas-cli/actions/workflows/codeql-analysis.yml)\n[](https://pepy.tech/project/ghas-cli)\n[](https://pypi.org/project/ghas-cli)\n[](https://github.com/malwarebytes/ghas-cli/graphs/contributors)\n\nCLI utility to interact with [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) (_\"GHAS\"_).\n\nIt allows to deploy GHAS features individually or at scale, while taking into account each repository configuration.\n\nMore specifically, it automates the following:\n\n* Ensure GitHub Actions are properly enabled for the repository (required for CodeQL),\n* Enable [Secret Scanner](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning), and create an informative issue\n* Enable [Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/protecting-pushes-with-secret-scanning), and create an informative issue\n* Enable [Dependabot](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/working-with-dependabot) and create an informative issue\n* Enable the [Dependency Reviewer](https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/about-dependency-review) and create an informative issue\n* Open a PR to deploy [Code Scanning](https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning) with a custom configuration tuned for each repository's languages and _non-main default branch_ (e.g `main` or `master` are not hardcoded, it determines the proper default branch automatically),\n* Cleanup legacy Mend issues on each repository\n\n\nEach of these actions can also open an issue explaining each feature, how to use them, and what to eventually do before they are fully enabled.\nSee `./templates` to get an overview of these issues!\n\nTo follow your deployment, `ghas-cli` outputs results in a csv file indicating the deployment status of each feature for each repository.\n\nYou can work on a single repository or on thousands of them. In that case, `ghas-cli` does its best to overcome [GitHub's rate limits](https://docs.github.com/en/enterprise-cloud@latest/rest/rate-limit)...\n\n\n## Installation\n\nBuilds are available in the [`Releases`](https://github.com/Malwarebytes/ghas-cli/releases) tab.\n\n* Pypi:\n\n```bash\npip install ghas-cli\n```\n\n* Manually:\n\n```bash\npython -m pip install /full/path/to/ghas-cli-xxx.whl\n\n# e.g: python3 -m pip install Downloads/ghas-cli-0.5.0-none-any.whl\n```\n\n## Usage\n\n`ghas-cli -h` or see the [wiki](https://github.com/Malwarebytes/ghas-cli/wiki).\n\n\n## Development\n\n### Build\n\n[Install Poetry](https://python-poetry.org/docs/#installation) first, then:\n\n```bash\nmake dev\n```\n\n### Bump the version number\n\n* Bump the version number: `poetry version x.x.x`\n* Update the `__version__` field in `src/cli.py` accordingly.\n\n### Publish a new version\n\n**Requires `syft` to be installed to generate the sbom.**\n\n1. Bump the version number as described above\n2. `make deps` to update the dependencies\n3. `make release` to build the packages\n4. `git commit -a -S Bump to version 1.1.2` and `git tag -s v1.1.2 -m \"1.1.2\"`\n5. Upload `dist/*`, `checksums.sha512` and `checksums.sha512.asc` to a new release in GitHub.\n6. Upload to [PyPi](https://pypi.org/project/ghas-cli/): `poetry publish`.\n\n\n## Why not use `ghas-enablement`?\n\nGitHub suggests using [ghas-enablement](https://github.com/NickLiffen/ghas-enablement) to deploy GHAS at scale. Unfortunately, it has many limitations that make it a non viable tool as you understood if you read the beginning of this README, including:\n\n* Only support for one default branch name: If you repositories are mixing `master`, `main`, `dev`, `test`... as the repository default branch, you will end up creating the CodeQL config to another branch than the default's.\n - `ghas-cli` uses the correct default branch for each repo.\n* Non per-language CodeQL workflow configuration: You can only automate the PR creation for a single CodeQL workflow config file. Your repositories are likely a mix of many languages combinations, so pushing a single workflow configuration accross an organization is not efficient.\n - `ghas-cli` adjusts the CodeQL configuration to each repository languages.\n* Doesn't check if Actions are properly enabled on your organization repositories: Running `ghas-enablement` when Actions are disabled will fail.\n - `ghas-cli` makes sure Actions are enabled before doing anything else. If they're not, it enables them.\n* More broadly, `ghas-cli` creates more educative issues on each repositories. It also provides more flexibility with an extensive CLI to pipe in/out data.\n\n\n\n# Miscellaneous\n\nThis repository is provided as-is and isn't bound to Malwarebytes' SLA.\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Command line interface to interact with GitHub Advanced Security.",
"version": "1.6.1",
"project_urls": {
"Documentation": "https://github.com/Malwarebytes/ghas-cli/wiki",
"Homepage": "https://github.com/Malwarebytes/ghas-cli",
"Repository": "https://github.com/Malwarebytes/ghas-cli"
},
"split_keywords": [
"security",
" cli",
" github",
" utility"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "27e62bae7cbd7a0bff88fcb52bf93d17b0b7a4d810202fe1758ae71b16e2d4c8",
"md5": "4a670b58b1a164cc55fb6a84d6133e45",
"sha256": "fd8bc93f075f4b95557d124ad743bb7c8621fde938e08e065aa8446f2d08147f"
},
"downloads": -1,
"filename": "ghas_cli-1.6.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "4a670b58b1a164cc55fb6a84d6133e45",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4,>=3.7",
"size": 22478,
"upload_time": "2024-03-25T11:05:13",
"upload_time_iso_8601": "2024-03-25T11:05:13.517290Z",
"url": "https://files.pythonhosted.org/packages/27/e6/2bae7cbd7a0bff88fcb52bf93d17b0b7a4d810202fe1758ae71b16e2d4c8/ghas_cli-1.6.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "1326a3f8f2a152e24198b920726ce73bdc3b0583777bfde59d7e88a97c341709",
"md5": "a19e8d65f5bd941a85a83eb4127ed383",
"sha256": "9d1b46d4781a89e36190bde3d59d996a0a7da1a0ad23eddfcb3fc093559fc4ee"
},
"downloads": -1,
"filename": "ghas_cli-1.6.1.tar.gz",
"has_sig": false,
"md5_digest": "a19e8d65f5bd941a85a83eb4127ed383",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4,>=3.7",
"size": 19664,
"upload_time": "2024-03-25T11:05:15",
"upload_time_iso_8601": "2024-03-25T11:05:15.782754Z",
"url": "https://files.pythonhosted.org/packages/13/26/a3f8f2a152e24198b920726ce73bdc3b0583777bfde59d7e88a97c341709/ghas_cli-1.6.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-25 11:05:15",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "Malwarebytes",
"github_project": "ghas-cli",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "ghas-cli"
}
JSON
