Initial version

Makefile

@@ -0,0 +1,31 @@
+.DEFAULT_GOAL=help
+.PHONY=help
+
+ZIP = zip
+PIP3 = python3 -m pip
+PYTHON3 = python3
+POETRY = poetry
+
+
+clean: ## clean existing builds
+	rm -rf ./dist || true
+	rm -rf ./src/ghas-cli/ghas-cli.egg-info || true
+	rm checksums.sha512 || true
+	rm checksums.sha512.asc || true
+
+release: ## Build a wheel
+	$(POETRY) build
+	cd dist && sha512sum * > ../checksums.sha512
+	gpg --detach-sign --armor checksums.sha512
+
+shell: ## Generate the shell autocompletion
+	_GHAS_CLI_COMPLETE=source_bash ghas-cli > ghas-cli-complete.sh || true
+
+deps: ## Fetch or update dependencies
+	$(POETRY) update --no-dev
+
+help:
+	@awk -F ':|##' '/^[^\t].+?:.*?##/ { printf "\033[36m%-30s\033[0m %s\n", $$1, $$NF }' $(MAKEFILE_LIST) | sort
+
+
+.PHONY: help

README.md

@@ -1,2 +1,44 @@
 # Security-ghas-cli
-CLI utility to interact with GHAS
+
+CLI utility to interact with GHAS.
+
+
+## Installation
+
+Builds are available in the [`Releases`](https://github.com/Malwarebytes/Security-ghas-cli/releases) tab.
+
+```bash
+python -m pip install /full/path/to/ghas-cli-xxx.whl
+
+# e.g: python3 -m pip install Downloads/ghas-cli-0.5.0-none-any.whl
+```
+
+## Development
+
+### Build
+
+[Install Poetry](https://python-poetry.org/docs/#installation) first, then:
+
+```bash
+make release
+```
+
+### Bump the version number
+
+* Update the `version` field in `pyproject.toml`.
+* Update the `__version__` field in `src/cli.py`.
+
+### Publish a new version
+
+1. Bump the version number as described above
+2. `make deps` to update the dependencies
+3. `make release` to build the packages
+4. `git commit -a -S Bump to version 1.1.2` and `git tag -s v1.1.2 -m "1.1.2"`
+5. Upload `dist/*`, `checksums.sha512` and `checksums.sha512.asc` to a new release in Github.
+
+# Resources
+
+Please reach Jérôme Boursier for any issues or question:
+
+* jboursier@malwarebytes.com
+* `jboursier` on Slack

pyproject.toml

@@ -0,0 +1,38 @@
+[tool.poetry]
+name = "security-ghash-cli"
+version = "0.0.1"
+description = "Python3 command line interface to interact with Github Advanced Security."
+authors = ["jboursier <jboursier@malwarebytes.com>"]
+license = "MIT"
+readme = "README.md"
+homepage = "https://malwarebytes.com"
+repository = "https://github.com/Malwarebytes/Security-ghash-cli"
+keywords = ["security", "cli", "github", "utility"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Intended Audience :: Information Technology",
+    "License :: OSI Approved :: MIT License",
+    "Natural Language :: English",
+    "Operating System :: OS Independent",
+    "Topic :: Utilities"
+]
+include = ["src/cli.py"]
+
+[tool.poetry.dependencies]
+python = ">=3.7"
+click = ">=8"
+requests = "*"
+colorama = "*"
+configparser = "*"
+python-magic = "*"
+
+[tool.poetry.dev-dependencies]
+
+[tool.poetry.scripts]
+ghas-cli = 'src.cli:main'
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"

src/github.py

@@ -0,0 +1,150 @@
+# -*- coding: utf-8 -*-
+#!/usr/bin/env python3
+
+__author__ = "jboursier"
+__copyright__ = "Copyright 2022, Malwarebytes"
+__version__ = "0.0.1"
+__maintainer__ = "jboursier"
+__email__ = "jboursier@malwarebytes.com"
+__status__ = "Development"
+
+try:
+    import click
+    import requests
+    import json
+    from typing import List, Dict, Any
+    from datetime import datetime
+except ImportError:
+    import sys
+
+    print("Missing dependencies. Please reach @jboursier if needed.")
+    sys.exit(255)
+
+from click.exceptions import ClickException
+from requests.exceptions import Timeout
+
+ORG_NAME = ""
+GH_TOKEN = ""
+
+
+def check_rate_limit(response: Any) -> bool:
+    if "0" == response.headers["x-ratelimit-remaining"]:
+        reset_time = datetime.fromtimestamp(int(response.headers["x-ratelimit-reset"]))
+        print(
+            f"Rate limit reached: {response.headers['x-ratelimit-remaining']}/{response.headers['x-ratelimit-limit']} - {reset_time}"
+        )
+        return True
+    else:
+        return False
+
+
+def get_org_repositories(org_name: str, exclude_archived: bool, session: Any) -> List:
+
+    repositories = []
+    page = 1
+    while True:
+        params = {
+            "type": "all",
+            "sort": "full_name",
+            "per_page": 100,
+            "page": page,
+        }
+        repos = session.get(
+            url=f"https://api.github.com/orgs/{org_name}/repos",
+            params=params,
+        )
+        if check_rate_limit(repos):
+            break
+
+        if repos.status_code != 200:
+            break
+        for r in repos.json():
+            print(
+                f"{page} - {r['name']} - {repos.headers['x-ratelimit-remaining']} / {repos.headers['x-ratelimit-limit']} - {repos.headers['x-ratelimit-reset']}"
+            )
+            repositories.append(r["name"])
+
+        if [] == repos.json():
+            break
+        page += 1
+
+    return repositories
+
+
+def get_codeql_alerts_repo(repo_name: str, org_name: str, session: Any) -> List:
+
+    #   https://api.github.com/repos/OWNER/REPO/code-scanning/alerts
+
+    alerts_repo = []
+    page = 1
+    while True:
+        params = {"state": "open", "per_page": 100, "page": page}
+        alerts = session.get(
+            url=f"https://api.github.com/repos/{org_name}/{repo_name}/code-scanning/alerts",
+            params=params,
+        )
+        print(
+            f"https://api.github.com/repos/{org_name}/{repo_name}/code-scanning/alerts"
+        )
+
+        if check_rate_limit(alerts):
+            break
+
+        if alerts.status_code != 200:
+            break
+
+        for a in alerts.json():
+            print(
+                f"{page} - {a} - {alerts.headers['x-ratelimit-remaining']} / {alerts.headers['x-ratelimit-limit']} - {alerts.headers['x-ratelimit-reset']}"
+            )
+            alerts_repo.append(a)
+
+        if [] == alerts.json():
+            break
+
+        page += 1
+
+    return alerts_repo
+
+
+def output_to_csv(alerts_per_repos: Dict, location: str) -> bool:
+    try:
+        with open(location, "w") as log_file:
+            log_file.write(json.dumps(alerts_per_repos))
+    except Exception as e:
+        print(str(e))
+        print(f"Failure to write the output to {location}")
+        return False
+    return True
+
+
+def main():
+
+    s = requests.Session()
+    s.headers.update(
+        {
+            "accept": "application/vnd.github+json",
+            "authorization": f"Bearer {GH_TOKEN}",
+            "User-Agent": "jboursier-mwb/fetch_org_ghas_metrics",
+        }
+    )
+
+    exclude_archived = False
+
+    org_repos = get_org_repositories(ORG_NAME, exclude_archived, s)
+
+    print(org_repos)
+
+    alerts_per_repo = {}
+    output = "./codescanning_alerts.json"
+
+    for repo in org_repos:
+        alerts_per_repo[repo] = get_codeql_alerts_repo(repo, ORG_NAME, s)
+
+    print(alerts_per_repo)
+
+    output_to_csv(alerts_per_repo, location=output)
+
+
+if __name__ == "__main__":
+    main()