Skip to content
/ github-pr-auditor Public

A continuous auditing system that examines pull requests using GitHub's search syntax

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rewindio/github-pr-auditor

BranchesTags

Repository files navigation

GitHub PR Auditor

This tool audits pull requests in order to determine whether or not they are considered compliant. This solution is geared more towards those that do not have access to the Audit Log API (i.e. non-Enterprise users) or simply want a canned solution for searching for and alerting upon non-compliant pull requests.

If a pull request is found by GITHUB_SEARCH_QUERY, it will log it as a non-compliant pull request and provide a link to it.

Getting Started

Configuration

The following environment variables are required at runtime:

Variable Description
AFTER_DATE A date that follows the ISO8601 standard. Defaults to 1 day ago.
BEFORE_DATE A date that follows the ISO8601 standard. Defaults to the present time.
GITHUB_API_TOKEN A Github Personal Access Token (PAT) that has the repo scope.
GITHUB_ORG_NAME The GitHub Org name to scan.
GITHUB_SEARCH_QUERY The search query syntax. Defaults to is:pr is:merged review:required

To read more about how GitHub's search syntax works, see understanding the search syntax.

Execution

This requires ruby to be installed on your machine. It was tested on Ruby 3.2.2. Other versions may work.

bundler install
GITHUB_API_TOKEN='<INSERT-PAT-HERE>' GITHUB_ORG_NAME='your-github-org' ./src/auditor.rb

Deploy to AWS

The auditor can also be deployed to AWS via aws-sam-cli. It requires an existing S3 bucket.

It works by running the auditor code in AWS Lambda on a schedule (Amazon CloudWatch Events), keeping track of the last successful run time in a Parameter Store parameter.

diagram

This also includes CloudWatch Alarms that will alarm upon:

  • Any non-compliant pull request
  • Missing logs (if no logs appear for 24 hours)
  • Generic runtime errors

Requirements

Building

Note that the SAM build uses Docker to ensure a matching platform architecture with the AWS lambda runtime. Ensure you have docker running before building the SAM application

make build REGION=us-east-1

Running the deploy script

For example, to deploy the CloudFormation stack:

make deploy-staging \
  STACK_NAME=github-pr-auditor \
  BUCKET_NAME=my-sam-bucket \
  REGION=us-east-1 \
  SAM_PARAMS_PATH=sam-params/example.cfg

Destroying

To destroy all of the resources provisioned:

make destroy STACK_NAME=github-pr-auditor

Development

Setup

To setup the dev environment, run:

bundle install --with development
pre-commit install # optional (requires pre-commit)

About

A continuous auditing system that examines pull requests using GitHub's search syntax

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages