Audits a GitHub organization for potential security issues. The tool is currently in pre-alpha stage and only supports limited functionality, however we will be actively adding checks in the upcoming months, and welcome feature requests or contributions! Once the analysis is complete, a static HTML with the summary of the results is rendered in localhost:3000 as shown below:

| Name | Category | Severity | Resource Affected |
|---|---|---|---|
| Application restrictions disabled | Least Privilege | High | Organization |
| Insecure Webhook payload URL | Information Disclosure | High | Webhook |
| Advanced security disabled for new repositories | Tooling and Automation Configuration | Medium | Organization |
| Secret scanning disabled for new repositories | Tooling and Automation Configuration | Medium | Organization |
| Organization 2FA disabled | Authentication | Medium | Organization |
| Users without 2FA configured | Authentication | Low | User Account |
| Permissions overview for users | Least Privilege | Informational | User Account |
| OAuth application summary | Least Privilege | Informational | Organization |
For each issue identified, a JSON with associated information will be generated. A sample output snippet is as follows:
...
{
"id": "CONFIG_AS_1",
"name": "Secret scanning disabled for new repositories",
"severity": 3,
"category": "Information disclosure to untrusted parties",
"tags": [
"GitHub Advanced Security feature"
],
"description": "Secret scanning disabled for org testorg",
"resource": [
{
"id": "testorg",
"kind": "Organization"
}
],
"cwes": [
319
],
"remediation": "Pleasee see https://docs.github.com/en/github-ae@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories for how to enable secret scanning in your repositories"
},
{
"id": "AUTH_2FA_2",
"name": "Users without 2FA configured",
"severity": 2,
"category": "Authentication",
"description": "The following collaborators have not enabled 2FA: testuser1, testuser2",
"resource": [
{
"id": "testuser1",
"kind": "UserAccount"
},
{
"id": "testuser2",
"kind": "UserAccount"
}
],
"cwes": [
308
],
"remediation": "Please see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication for steps on how to configure 2FA for individual accounts"
}
...
You can see available options via the --help flag.
sh
go install -v github.com/crashappsec/github-analyzer/cmd/github-analyzer@latestsh
$GOPATH/bin/github-analyzer \
--organization <your org name> \
--token "$GH_SECURITY_AUDITOR_TOKEN"sh
docker compose build --no-cachesh
docker compose run \
--rm --service-ports \
github-analyzer \
--organization <your org name> \
--output output \
--token "$GH_SECURITY_AUDITOR_TOKEN"
For API-based based checks, you need to pass in GitHub Token (either personal access token (PAT) or token derived from GitHub app installation) with the appropriate permissions. Example usage:
github-analyzer \
--organization <your org name> \
--token "$GH_SECURITY_AUDITOR_TOKEN"
See our wiki for instructions on setting up a token to be used with the github-analyzer.
For experimental scraping-based checks, you need to pass in your username and password, as well your two factor authentication one-time-password, as needed. Example usage:
github-analyzer \
--organization crashappsec \
--token "$GH_SECURITY_AUDITOR_TOKEN" \
--userPermissionStats \
--enableScraping \
--username "$GH_SECURITY_AUDITOR_USERNAME" \
--password "$GH_SECURITY_AUDITOR_PASSWORD" \
--otpSeed "$GH_SECURITY_AUDITOR_OTP_SEED"
See our wiki for instructions on setting up a token to be used with the analyzer.
Project was originally ported from Mike de Libero's auditor with the author's permission.
For better security, it is recommended to use a GitHub App access token instead of a personal access token when running this tool internally within an organization.
Go to GitHub Developer Settings: https://github.com/settings/apps
Click New GitHub App
Fill required details:
Disable webhook (not required)
Set permissions: Repository permissions:
Organization permissions: - Members: Read - Administration: Read
Click Create GitHub App
Generate a private key (.pem file)
Install the GitHub App to your organization
Generate a JWT token using the App ID and private key.
Exchange JWT for installation access token using GitHub API: https://api.github.com/app/installations/{installation_id}/access_tokens
Use this access token when running github-analyzer internally.
This approach avoids using personal access tokens and improves organizational security.
$ claude mcp add github-analyzer \
-- python -m otcore.mcp_server <graph>