npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
GitHub Advanced Security (GHAS) integrates CodeQL-powered static application security testing directly into the GitHub development workflow. CodeQL treats code as data, enabling semantic analysis that identifies security vulnerabilities such as SQL injection, cross-site scripting, buffer overflows, and authentication flaws with significantly fewer false positives than traditional pattern-matching scanners. GHAS encompasses code scanning, secret scanning, dependency review, and Dependabot alerts to provide a comprehensive security posture for repositories.
When to Use
- When deploying or configuring implementing github advanced security for code scanning capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- GitHub Enterprise Cloud or GitHub Enterprise Server 3.0+ with GHAS license
- Repository admin or organization owner permissions
- Familiarity with GitHub Actions workflow syntax (YAML)
- Supported languages: C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, Ruby, Swift
Core Concepts
CodeQL Analysis Engine
CodeQL compiles source code into a queryable database, then executes security-focused queries against that database. The query suites ship with hundreds of checks mapped to CWE identifiers and cover OWASP Top 10, SANS Top 25, and language-specific vulnerability patterns. Custom queries can be authored using the CodeQL query language (QL) to detect organization-specific anti-patterns.
Default Setup vs. Advanced Setup
Default Setup enables code scanning with a single click from the repository's Code Security settings. GitHub automatically determines the languages present, selects appropriate query suites, and configures scanning triggers. This approach requires no workflow file and is ideal for rapid onboarding.
Advanced Setup generates a .github/workflows/codeql.yml workflow file that can be customized. Teams control scheduling, language matrices, build commands for compiled languages, additional query packs, and integration with third-party SARIF producers. Advanced setup is required when custom build steps, monorepo configurations, or private query packs are needed.
Organization-Wide Rollout
For enterprises managing hundreds of repositories, GHAS supports configuring code scanning at scale using the organization-level security overview. Administrators can enable default setup across all eligible repositories, define custom security configurations, and monitor adoption through the security coverage dashboard.
Workflow
Step 1 --- Enable GHAS on the Organization
- Navigate to Organization Settings > Code security and analysis
- Enable GitHub Advanced Security for all repositories or selected repositories
- Confirm license seat allocation (GHAS is billed per active committer)
Step 2 --- Configure Default Setup for Quick Wins
- Go to Repository Settings > Code security > Code scanning
- Click "Set up" in the CodeQL analysis row and select "Default"
- Review the auto-detected languages and query suite (default or extended)
- Click "Enable CodeQL" to activate scanning on push and pull request events
Step 3 --- Advanced Setup with Custom Workflow
Create .github/workflows/codeql-analysis.yml:
name: "CodeQL Analysis"
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '30 2 * * 1' # Weekly Monday 2:30 AM UTC
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
strategy:
fail-fast: false
matrix:
language: ['javascript-typescript', 'python', 'java-kotlin']
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-extended,security-and-quality
# For compiled languages, add build commands below
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"Step 4 --- Custom Query Packs
Install organization-specific query packs by referencing them in the workflow:
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java-kotlin
packs: |
my-org/java-custom-queries@1.0.0
codeql/java-queries:cwe/cwe-089Step 5 --- Configure Branch Protection Rules
- Navigate to Repository Settings > Branches > Branch protection rules
- Enable "Require status checks to pass" and add the CodeQL analysis check
- Enable "Require code scanning results" and set severity thresholds (e.g., block on High/Critical)
Step 6 --- Secret Scanning and Push Protection
- Enable secret scanning from Code security settings
- Activate push protection to block commits containing detected secrets
- Configure custom patterns for organization-specific secrets (API keys, internal tokens)
Step 7 --- Dependency Review and Dependabot
- Enable Dependabot alerts and security updates
- Configure
.github/dependabot.ymlfor automated dependency version updates - Enable dependency review enforcement on pull requests to block PRs that introduce known vulnerable dependencies
Query Suite Reference
| Suite | Description | Use Case |
|---|---|---|
default |
High-confidence security queries | Production scanning with minimal false positives |
security-extended |
Broader security queries including lower-severity findings | Comprehensive security coverage |
security-and-quality |
Security plus code quality queries | Teams wanting both security and maintainability checks |
| Custom packs | Organization-authored queries | Detecting internal anti-patterns and compliance violations |
Integration with Security Workflows
SARIF Upload from Third-Party Tools
GHAS accepts SARIF (Static Analysis Results Interchange Format) uploads from external tools:
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: "semgrep"Security Overview Dashboard
The organization-level security overview provides:
- Risk view showing repositories with open alerts by severity
- Coverage view showing GHAS feature enablement across repositories
- Alert trends over time for tracking remediation progress
- Filter by team, language, and alert type for targeted review
Monitoring and Metrics
- Track mean time to remediate (MTTR) for code scanning alerts
- Monitor false positive rates and tune query configurations accordingly
- Review alert dismissal reasons to identify areas for developer training
- Use the API (
/repos/{owner}/{repo}/code-scanning/alerts) for custom reporting dashboards
Common Pitfalls
- Compiled language build failures --- CodeQL requires successful compilation for C/C++, Java, C#, Go, and Swift; ensure build dependencies are available in the Actions runner
- Ignoring scheduled scans --- Push/PR scanning misses vulnerabilities in dependencies; weekly scheduled scans catch newly disclosed CVEs in existing code
- Over-alerting with security-and-quality --- Start with
defaultsuite and expand gradually to avoid developer alert fatigue - Missing GHAS license seats --- Only active committers to GHAS-enabled repositories consume license seats; plan capacity accordingly
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.9 KB
API Reference: Implementing GitHub Advanced Security for Code Scanning
GitHub Code Scanning API
# List code scanning alerts
gh api /repos/OWNER/REPO/code-scanning/alerts?state=open
# Get specific alert
gh api /repos/OWNER/REPO/code-scanning/alerts/ALERT_NUMBER
# List analyses
gh api /repos/OWNER/REPO/code-scanning/analyses
# Upload SARIF
gh api /repos/OWNER/REPO/code-scanning/sarifs -X POST \
-f commit_sha=SHA -f ref=refs/heads/main -f sarif=@results.sarif.gzSecret Scanning API
# List secret alerts
gh api /repos/OWNER/REPO/secret-scanning/alerts?state=open
# Update alert state
gh api /repos/OWNER/REPO/secret-scanning/alerts/ALERT_NUMBER -X PATCH \
-f state=resolved -f resolution=revokedCodeQL Query Suites
| Suite | Description | False Positive Rate |
|---|---|---|
default |
High-confidence security | Low |
security-extended |
Broader security coverage | Medium |
security-and-quality |
Security + code quality | Higher |
CodeQL Workflow (GitHub Actions)
- uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-extended
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3Supported Languages
| Language | Build Required | Query Pack |
|---|---|---|
| Python | No | codeql/python-queries |
| JavaScript/TypeScript | No | codeql/javascript-queries |
| Java/Kotlin | Yes | codeql/java-queries |
| C/C++ | Yes | codeql/cpp-queries |
| C# | Yes | codeql/csharp-queries |
| Go | Yes | codeql/go-queries |
| Ruby | No | codeql/ruby-queries |
| Swift | Yes | codeql/swift-queries |
References
- GHAS Docs: https://docs.github.com/en/code-security/code-scanning
- CodeQL: https://codeql.github.com/docs/
- CodeQL Queries: https://github.com/github/codeql
- SARIF Spec: https://sarifweb.azurewebsites.net/
standards.md2.2 KB
Standards and Frameworks Reference
OWASP Top 10 (2021) Coverage by CodeQL
| OWASP Category | CodeQL CWE Coverage | Query Suite |
|---|---|---|
| A01 Broken Access Control | CWE-22, CWE-284, CWE-639 | security-extended |
| A02 Cryptographic Failures | CWE-259, CWE-327, CWE-328 | security-extended |
| A03 Injection | CWE-77, CWE-78, CWE-79, CWE-89 | default |
| A04 Insecure Design | CWE-209, CWE-256, CWE-501 | security-and-quality |
| A05 Security Misconfiguration | CWE-16, CWE-611 | security-extended |
| A06 Vulnerable Components | Dependency Review / Dependabot | N/A (separate feature) |
| A07 Auth Failures | CWE-287, CWE-798 | default |
| A08 Data Integrity Failures | CWE-502, CWE-829 | security-extended |
| A09 Logging Failures | CWE-117, CWE-778 | security-and-quality |
| A10 SSRF | CWE-918 | default |
NIST SP 800-218 (SSDF) Alignment
- PO.3: Define security requirements --- CodeQL enforces security policies through query suites
- PW.4: Reuse existing, well-secured software --- Dependabot ensures dependencies are patched
- PW.7: Review and test code for vulnerabilities --- Automated code scanning on every PR
- PW.8: Test executable code --- SARIF integration enables combining SAST with DAST results
- RV.1: Identify and confirm vulnerabilities --- Security overview tracks alerts across the organization
CIS Software Supply Chain Security Guide
- SCS-1: Source code management security --- Branch protection rules, required reviewers
- SCS-2: Build pipelines --- CodeQL runs in GitHub Actions with pinned action versions
- SCS-5: Artifact management --- Dependency review prevents vulnerable packages from merging
ISO 27001 Control Mapping
| ISO 27001 Control | GHAS Feature |
|---|---|
| A.8.25 Secure development lifecycle | CodeQL in CI/CD pipeline |
| A.8.26 Application security requirements | Custom query packs for org standards |
| A.8.28 Secure coding | Real-time scanning on pull requests |
| A.8.29 Security testing in dev and acceptance | Required status checks with severity gates |
| A.8.31 Separation of environments | Branch protection and deployment rules |
workflows.md3.2 KB
GHAS Implementation Workflows
Workflow 1: Organization-Wide Enablement
1. Audit current repository inventory
- List all repositories in the organization
- Identify languages and build systems in use
- Estimate active committer count for licensing
|
2. Pilot phase (2-4 weeks)
- Enable GHAS on 5-10 representative repositories
- Use default setup for initial scanning
- Collect baseline alert counts and false positive rates
|
3. Triage pilot results
- Review alerts by severity (Critical, High, Medium, Low)
- Dismiss confirmed false positives with documented reasons
- Create remediation issues for confirmed vulnerabilities
|
4. Tune configuration
- Adjust query suites based on false positive feedback
- Write custom queries for organization-specific patterns
- Configure alert dismissal policies
|
5. Broad rollout
- Enable default setup across remaining repositories
- Configure organization-level security configurations
- Set branch protection rules requiring code scanning checks
|
6. Continuous monitoring
- Review security overview dashboard weekly
- Track MTTR for code scanning alerts
- Report metrics to security leadership monthlyWorkflow 2: Pull Request Security Gate
Developer pushes code to feature branch
|
PR is created targeting main
|
CodeQL analysis triggers automatically
|
Dependency review checks for vulnerable dependencies
|
Secret scanning checks for hardcoded credentials
|
Results posted as PR check and inline annotations
|
[Pass] All checks pass --> PR is eligible for merge
[Fail] Critical/High findings --> PR is blocked
|
Developer reviews findings and applies fixes
|
Re-push triggers re-analysis
|
Merge after all checks pass and reviewer approvalWorkflow 3: Custom CodeQL Query Development
1. Identify recurring vulnerability pattern not caught by default queries
|
2. Set up CodeQL development environment
- Install CodeQL CLI
- Clone CodeQL standard library repository
- Create workspace with target codebase database
|
3. Author the query in QL language
- Define source, sink, and taint-tracking configuration
- Add metadata (@name, @description, @kind, @problem.severity, @security-severity, @precision, @id, @tags)
|
4. Test the query
- Create test cases with expected results
- Run `codeql test run` against test database
- Validate precision and recall
|
5. Package the query
- Create qlpack.yml with version and dependencies
- Publish to GitHub Container Registry or internal package registry
|
6. Deploy to scanning workflow
- Reference the query pack in codeql-action/init step
- Monitor results for the new query across repositoriesWorkflow 4: SARIF Integration with External Tools
External SAST/DAST tool runs scan
|
Tool outputs results in SARIF 2.1.0 format
|
GitHub Actions uploads SARIF via codeql-action/upload-sarif
|
Results appear in Security tab alongside CodeQL findings
|
Unified triage workflow across all scanning tools
|
Alert deduplication based on location and rule IDScripts 2
agent.py7.7 KB
#!/usr/bin/env python3
"""Agent for managing GitHub Advanced Security code scanning with CodeQL."""
import json
import argparse
import subprocess
from datetime import datetime
from collections import Counter
def gh_api(endpoint, method="GET"):
"""Call GitHub API via gh CLI."""
cmd = ["gh", "api", endpoint, "--method", method]
result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)
if result.returncode != 0:
return {"error": result.stderr.strip()}
try:
return json.loads(result.stdout) if result.stdout.strip() else {}
except json.JSONDecodeError:
return {"raw": result.stdout.strip()}
def get_code_scanning_alerts(owner, repo, state="open"):
"""Get code scanning alerts for a repository."""
alerts = gh_api(f"/repos/{owner}/{repo}/code-scanning/alerts?state={state}&per_page=100")
if isinstance(alerts, dict) and "error" in alerts:
return alerts
return alerts if isinstance(alerts, list) else []
def get_secret_scanning_alerts(owner, repo, state="open"):
"""Get secret scanning alerts for a repository."""
alerts = gh_api(f"/repos/{owner}/{repo}/secret-scanning/alerts?state={state}&per_page=100")
if isinstance(alerts, dict) and "error" in alerts:
return alerts
return alerts if isinstance(alerts, list) else []
def get_dependabot_alerts(owner, repo, state="open"):
"""Get Dependabot alerts for a repository."""
alerts = gh_api(f"/repos/{owner}/{repo}/dependabot/alerts?state={state}&per_page=100")
if isinstance(alerts, dict) and "error" in alerts:
return alerts
return alerts if isinstance(alerts, list) else []
def analyze_code_scanning_alerts(alerts):
"""Analyze code scanning alerts and produce summary."""
if not isinstance(alerts, list):
return {"error": "No alerts data"}
by_severity = Counter()
by_rule = Counter()
by_tool = Counter()
critical_alerts = []
for alert in alerts:
rule = alert.get("rule", {})
severity = rule.get("security_severity_level", rule.get("severity", "unknown"))
by_severity[severity] += 1
by_rule[rule.get("id", "unknown")] += 1
tool = alert.get("tool", {}).get("name", "unknown")
by_tool[tool] += 1
if severity in ("critical", "high"):
critical_alerts.append({
"number": alert.get("number"),
"rule": rule.get("id", ""),
"description": rule.get("description", "")[:120],
"severity": severity,
"state": alert.get("state", ""),
"created_at": alert.get("created_at", ""),
"html_url": alert.get("html_url", ""),
})
return {
"total_alerts": len(alerts),
"by_severity": dict(by_severity),
"by_rule": dict(by_rule.most_common(10)),
"by_tool": dict(by_tool),
"critical_and_high": critical_alerts[:20],
}
def analyze_secret_alerts(alerts):
"""Analyze secret scanning alerts."""
if not isinstance(alerts, list):
return {"error": "No alerts data"}
by_type = Counter()
for alert in alerts:
by_type[alert.get("secret_type_display_name", alert.get("secret_type", "unknown"))] += 1
return {
"total_secrets": len(alerts),
"by_type": dict(by_type),
"alerts": [
{"number": a.get("number"), "type": a.get("secret_type_display_name", ""),
"state": a.get("state", ""), "created_at": a.get("created_at", "")}
for a in alerts[:20]
],
}
def analyze_dependabot_alerts(alerts):
"""Analyze Dependabot vulnerability alerts."""
if not isinstance(alerts, list):
return {"error": "No alerts data"}
by_severity = Counter()
by_ecosystem = Counter()
for alert in alerts:
vuln = alert.get("security_vulnerability", alert.get("security_advisory", {}))
severity = vuln.get("severity", alert.get("severity", "unknown"))
by_severity[severity] += 1
dep = alert.get("dependency", {})
pkg = dep.get("package", {})
by_ecosystem[pkg.get("ecosystem", "unknown")] += 1
return {
"total_alerts": len(alerts),
"by_severity": dict(by_severity),
"by_ecosystem": dict(by_ecosystem),
}
def generate_codeql_workflow(languages, query_suite="security-extended"):
"""Generate a CodeQL analysis GitHub Actions workflow."""
lang_list = ", ".join(f"'{l}'" for l in languages)
return f"""name: CodeQL Analysis
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
schedule:
- cron: '30 2 * * 1'
jobs:
analyze:
name: Analyze (${{{{ matrix.language }}}})
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
strategy:
fail-fast: false
matrix:
language: [{lang_list}]
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: ${{{{ matrix.language }}}}
queries: +{query_suite}
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
with:
category: "/language:${{{{ matrix.language }}}}"
"""
def full_security_audit(owner, repo):
"""Run full GHAS security audit for a repository."""
code_alerts = get_code_scanning_alerts(owner, repo)
secret_alerts = get_secret_scanning_alerts(owner, repo)
dependabot_alerts = get_dependabot_alerts(owner, repo)
return {
"code_scanning": analyze_code_scanning_alerts(code_alerts),
"secret_scanning": analyze_secret_alerts(secret_alerts),
"dependabot": analyze_dependabot_alerts(dependabot_alerts),
}
def main():
parser = argparse.ArgumentParser(description="GitHub Advanced Security Agent")
parser.add_argument("--owner", help="Repository owner")
parser.add_argument("--repo", help="Repository name")
parser.add_argument("--action", choices=["audit", "code-alerts", "secrets",
"dependabot", "gen-workflow"],
default="audit")
parser.add_argument("--languages", nargs="+", default=["python", "javascript-typescript"])
parser.add_argument("--output", default="ghas_report.json")
args = parser.parse_args()
report = {"generated_at": datetime.utcnow().isoformat(), "results": {}}
if args.action == "audit" and args.owner and args.repo:
results = full_security_audit(args.owner, args.repo)
report["results"] = results
cs = results["code_scanning"]
print(f"[+] Code scanning: {cs.get('total_alerts', 0)} alerts")
print(f"[+] Secrets: {results['secret_scanning'].get('total_secrets', 0)}")
print(f"[+] Dependabot: {results['dependabot'].get('total_alerts', 0)}")
elif args.action == "code-alerts" and args.owner and args.repo:
alerts = get_code_scanning_alerts(args.owner, args.repo)
analysis = analyze_code_scanning_alerts(alerts)
report["results"]["code_scanning"] = analysis
print(f"[+] {analysis.get('total_alerts', 0)} code scanning alerts")
elif args.action == "secrets" and args.owner and args.repo:
alerts = get_secret_scanning_alerts(args.owner, args.repo)
analysis = analyze_secret_alerts(alerts)
report["results"]["secret_scanning"] = analysis
print(f"[+] {analysis.get('total_secrets', 0)} secret alerts")
elif args.action == "gen-workflow":
workflow = generate_codeql_workflow(args.languages)
report["results"]["workflow"] = workflow
print("[+] CodeQL workflow generated")
with open(args.output, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()
process.py6.6 KB
#!/usr/bin/env python3
"""
GitHub Advanced Security Code Scanning Alert Management
Uses the GitHub REST API to query, triage, and report on CodeQL
code scanning alerts across an organization's repositories.
"""
import json
import os
import sys
import urllib.request
import urllib.error
from datetime import datetime, timedelta
from collections import defaultdict
def get_github_headers(token: str) -> dict:
return {
"Authorization": f"Bearer {token}",
"Accept": "application/vnd.github+json",
"X-GitHub-Api-Version": "2022-11-28",
}
def github_api_get(url: str, token: str) -> list | dict:
headers = get_github_headers(token)
results = []
page = 1
while True:
paginated_url = f"{url}{'&' if '?' in url else '?'}per_page=100&page={page}"
req = urllib.request.Request(paginated_url, headers=headers)
try:
with urllib.request.urlopen(req) as resp:
data = json.loads(resp.read().decode())
if isinstance(data, list):
if not data:
break
results.extend(data)
page += 1
else:
return data
except urllib.error.HTTPError as e:
print(f"HTTP {e.code} for {paginated_url}: {e.read().decode()}")
break
return results
def list_org_repos(org: str, token: str) -> list:
url = f"https://api.github.com/orgs/{org}/repos?type=all"
repos = github_api_get(url, token)
return [r["full_name"] for r in repos if isinstance(r, dict)]
def get_code_scanning_alerts(repo: str, token: str, state: str = "open") -> list:
url = f"https://api.github.com/repos/{repo}/code-scanning/alerts?state={state}"
return github_api_get(url, token)
def categorize_alerts(alerts: list) -> dict:
categories = defaultdict(lambda: defaultdict(int))
for alert in alerts:
rule = alert.get("rule", {})
severity = rule.get("security_severity_level", "unknown")
cwe_tags = [t for t in rule.get("tags", []) if t.startswith("cwe-")]
tool_name = alert.get("tool", {}).get("name", "unknown")
categories["by_severity"][severity] += 1
categories["by_tool"][tool_name] += 1
for cwe in cwe_tags:
categories["by_cwe"][cwe] += 1
return dict(categories)
def calculate_mttr(alerts: list) -> dict:
resolved = [a for a in alerts if a.get("state") == "fixed"]
if not resolved:
return {"total_resolved": 0, "avg_mttr_hours": None}
durations = []
for alert in resolved:
created = datetime.fromisoformat(alert["created_at"].replace("Z", "+00:00"))
fixed = datetime.fromisoformat(
alert.get("fixed_at", alert.get("dismissed_at", "")).replace("Z", "+00:00")
)
durations.append((fixed - created).total_seconds() / 3600)
return {
"total_resolved": len(resolved),
"avg_mttr_hours": round(sum(durations) / len(durations), 1),
"min_mttr_hours": round(min(durations), 1),
"max_mttr_hours": round(max(durations), 1),
}
def generate_org_report(org: str, token: str) -> dict:
repos = list_org_repos(org, token)
report = {
"organization": org,
"generated_at": datetime.utcnow().isoformat() + "Z",
"total_repositories": len(repos),
"repositories_with_scanning": 0,
"total_open_alerts": 0,
"severity_summary": defaultdict(int),
"top_cwes": defaultdict(int),
"repo_details": [],
}
for repo in repos:
alerts = get_code_scanning_alerts(repo, token, state="open")
if not alerts:
continue
report["repositories_with_scanning"] += 1
report["total_open_alerts"] += len(alerts)
categories = categorize_alerts(alerts)
for sev, count in categories.get("by_severity", {}).items():
report["severity_summary"][sev] += count
for cwe, count in categories.get("by_cwe", {}).items():
report["top_cwes"][cwe] += count
closed_alerts = get_code_scanning_alerts(repo, token, state="fixed")
mttr = calculate_mttr(closed_alerts)
report["repo_details"].append(
{
"repository": repo,
"open_alerts": len(alerts),
"severity_breakdown": dict(categories.get("by_severity", {})),
"mttr": mttr,
}
)
report["severity_summary"] = dict(report["severity_summary"])
top_cwes_sorted = sorted(report["top_cwes"].items(), key=lambda x: x[1], reverse=True)[:10]
report["top_cwes"] = dict(top_cwes_sorted)
return report
def print_report(report: dict) -> None:
print(f"\n{'='*60}")
print(f"GHAS Code Scanning Report: {report['organization']}")
print(f"Generated: {report['generated_at']}")
print(f"{'='*60}")
print(f"Total repositories: {report['total_repositories']}")
print(f"Repositories with scanning enabled: {report['repositories_with_scanning']}")
coverage = (
report["repositories_with_scanning"] / report["total_repositories"] * 100
if report["total_repositories"] > 0
else 0
)
print(f"Coverage: {coverage:.1f}%")
print(f"Total open alerts: {report['total_open_alerts']}")
print(f"\nSeverity Summary:")
for sev in ["critical", "high", "medium", "low", "unknown"]:
count = report["severity_summary"].get(sev, 0)
if count > 0:
print(f" {sev.upper():12s}: {count}")
print(f"\nTop CWEs:")
for cwe, count in report.get("top_cwes", {}).items():
print(f" {cwe:15s}: {count}")
print(f"\nRepository Details:")
for repo in sorted(report["repo_details"], key=lambda r: r["open_alerts"], reverse=True):
mttr_str = (
f"{repo['mttr']['avg_mttr_hours']}h" if repo["mttr"]["avg_mttr_hours"] else "N/A"
)
print(f" {repo['repository']:40s} | Open: {repo['open_alerts']:4d} | Avg MTTR: {mttr_str}")
def main():
token = os.environ.get("GITHUB_TOKEN")
if not token:
print("Error: GITHUB_TOKEN environment variable is required")
sys.exit(1)
org = os.environ.get("GITHUB_ORG")
if not org:
print("Error: GITHUB_ORG environment variable is required")
sys.exit(1)
print(f"Fetching code scanning data for organization: {org}")
report = generate_org_report(org, token)
print_report(report)
output_file = f"ghas_report_{org}_{datetime.utcnow().strftime('%Y%m%d')}.json"
with open(output_file, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\nDetailed report saved to: {output_file}")
if __name__ == "__main__":
main()