ghe-reposec: initial commit (#1)

.github/workflows/go.yaml

@@ -0,0 +1,19 @@
+# Copyright 2025 Adevinta
+
+name: Go
+on: [push, pull_request]
+permissions:
+  contents: read
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+      - name: Run "go test"
+        run: go test -cover -race ./...

.github/workflows/golangci-lint.yaml

@@ -0,0 +1,26 @@
+# Copyright 2025 Adevinta
+
+name: Golangci-lint
+on: [push, pull_request]
+permissions:
+  contents: read
+jobs:
+  golangci-lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    env:
+      GOLANGCI_LINT_VERSION: v1.63.4
+      GOLANGCI_LINT_OUT_FORMAT: ${{ github.event_name == 'pull_request' && 'github-actions' || 'colored-line-number' }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+      - name: Remove Go problem matchers
+        run: echo "::remove-matcher owner=go::"
+      - name: Install "golangci-lint"
+        run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${{ env.GOLANGCI_LINT_VERSION }}
+      - name: Run "golangci-lint run"
+        run: golangci-lint run --out-format=${{ env.GOLANGCI_LINT_OUT_FORMAT }} ./...

.github/workflows/lava.yaml

@@ -0,0 +1,18 @@
+# Copyright 2025 Adevinta
+
+name: Lava
+on: [push, pull_request]
+permissions:
+  contents: read
+jobs:
+  lava:
+    name: Lava
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Run Lava Action
+        uses: adevinta/lava-action@v0
+        with:
+          version: latest
+          config: lava.yaml

.github/workflows/release.yaml

@@ -0,0 +1,32 @@
+# Copyright 2025 Adevinta
+
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+*'
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+      - name: Run "goreleaser"
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: v2.5.1
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ github.token }}

.gitignore

@@ -1,3 +1,5 @@
+# Copyright 2025 Adevinta
+
 # If you prefer the allow list template instead of the deny list, see community template:
 # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
 #
@@ -23,3 +25,13 @@ go.work.sum
 
 # env file
 .env
+
+# Build binaries
+ghe-reposec
+main
+dist/
+
+# Editor and OS directories and files
+.idea/
+.vscode/
+.DS_Store

.golangci.yaml

@@ -0,0 +1,40 @@
+# Copyright 2025 Adevinta
+
+linters:
+  enable:
+    - gci
+    - godot
+    - gofmt
+    - goheader
+    - misspell
+    - revive
+    - whitespace
+    - unparam
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/adevinta/ghe-reposec)
+    custom-order: true
+  goheader:
+    values:
+      const:
+        COMPANY: Adevinta
+      regexp:
+        ANY-YEAR: \d{4}
+    template: |-
+      Copyright {{ ANY-YEAR }} {{ COMPANY }}
+issues:
+  max-issues-per-linter: 0
+  max-same-issues: 0
+  exclude-use-default: false
+  exclude-rules:
+    - linters:
+        - errcheck
+      text: 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked'
+    - linters:
+        - revive
+      text: 'unused-parameter: parameter ''.*'' seems to be unused'
+run:
+  timeout: 5m

.goreleaser.yaml

@@ -0,0 +1,37 @@
+# Copyright 2025 Adevinta
+
+version: 2
+
+project_name: ghe-reposec
+
+gomod:
+  proxy: true
+
+builds:
+  -
+    main: .
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - "386"
+      - amd64
+      - arm
+      - arm64
+    ignore:
+      - goos: darwin
+        goarch: arm
+    mod_timestamp: '{{.CommitTimestamp}}'
+    ldflags:
+      - -s -w
+
+archives:
+  - format: tar.gz
+    name_template: '{{.ProjectName}}_{{.Os}}_{{.Arch}}{{if .Arm}}v{{.Arm}}{{end}}'
+
+release:
+  footer: |
+    **Full Changelog**: https://github.com/adevinta/ghe-reposec/compare/{{.PreviousTag}}...{{.Tag}}
+  prerelease: auto

CONTRIBUTING.md

@@ -0,0 +1,3 @@
+# Contributing
+
+**We are not accepting external contributions at the moment.**

DISCLAIMER

@@ -0,0 +1,6 @@
+Copyright (c) 2025 Adevinta
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.

README.md

@@ -1,2 +1,61 @@
 # ghe-reposec
 Tool for verifying security controls in GitHub Enterprise repositories.
+
+## Install
+
+### Binary distributions
+
+Binary distributions are available in the [releases] section.
+
+### Install from source
+
+Install the Lava command with `go install`.
+
+```sh
+go install github.com/adevinta/ghe-reposec@latest
+```
+
+### Requirements
+
+`ghe-reposec` requires [Lava] in order to run.
+
+## Configuration
+
+The `ghe-reposec` tool can be configured using environment variables. Below are the available configuration options:
+
+### General Configuration
+
+- `REPOSEC_LOG_LEVEL`: The log level (default: `info`). Possible values: `debug`, `info`, `warn`, `error`.
+- `REPOSEC_LOG_OUTPUT`: The log output (default: `stdout`). Possible values: `stdout`, `stderr`.
+- `REPOSEC_LOG_OUTPUT_FORMAT`: The log output format (default: `text`). Possible values: `text`, `json`.
+- `REPOSEC_TARGET_ORG`: The target GitHub organization.
+- `REPOSEC_OUTPUT_FILE`: The output file path (default: `/tmp/reposec.csv`).
+- `REPOSEC_OUTPUT_FORMAT`: The output format (default: `csv`). Possible values: `csv`, `json`.
+
+### GitHub Enterprise Configuration
+
+- `REPOSEC_GHE_TOKEN`: The GitHub Enterprise token **(required)**.
+- `REPOSEC_GHE_BASE_URL`: The GitHub Enterprise base URL **(required)**.
+- `REPOSEC_GHE_CONCURRENCY`: The number of concurrent requests to GitHub Enterprise (default: `15`).
+- `REPOSEC_GHE_REPOSITORY_SIZE_LIMIT`: The maximum repository size in KB (default: `3145728`).
+- `REPOSEC_GHE_INCLUDE_ARCHIVED`: Include archived repositories (default: `false`).
+- `REPOSEC_GHE_INCLUDE_EMPTY`: Include empty repositories (default: `false`).
+- `REPOSEC_GHE_INCLUDE_FORKS`: Include forked repositories (default: `false`).
+- `REPOSEC_GHE_INCLUDE_TEMPLATES`: Include template repositories (default: `false`).
+- `REPOSEC_GHE_INCLUDE_DISABLED`: Include disabled repositories (default: `false`).
+- `REPOSEC_GHE_MIN_LAST_ACTIVITY_DAYS`: The minimum number of days since the last activity in the repository (default: `0`).
+
+### Lava Configuration
+
+- `REPOSEC_LAVA_CONCURRENCY`: The number of concurrent Lava scans (default: `10`).
+- `REPOSEC_LAVA_BINARY_PATH`: The path to the Lava binary (default: `/usr/bin/lava`).
+- `REPOSEC_LAVA_CHECK_IMAGE`: The Lava check image (default: `vulcansec/vulcan-repository-sctrl:a20516f-4aae88d`).
+- `LAVA_RESULTS_PATH`: The path where Lava results (stdout and stderr) will be stored if specified.
+
+
+## Contributing
+
+**We are not accepting external contributions at the moment.**
+
+[Lava]: https://github.com/adevinta/lava
+[releases]: https://github.com/adevinta/ghe-reposec/releases

go.mod

@@ -0,0 +1,11 @@
+module github.com/adevinta/ghe-reposec
+
+go 1.23
+
+require (
+	github.com/adevinta/vulcan-report v1.0.0
+	github.com/caarlos0/env/v11 v11.3.1
+	github.com/google/go-github/v67 v67.0.0
+)
+
+require github.com/google/go-querystring v1.1.0 // indirect

go.sum

@@ -0,0 +1,12 @@
+github.com/adevinta/vulcan-report v1.0.0 h1:44aICPZ+4svucgCSA5KmjlT3ZGzrvZXiSnkbnj6AC2k=
+github.com/adevinta/vulcan-report v1.0.0/go.mod h1:k34KaeoXc3H77WNMwI9F4F1G28hBjB95PeMUp9oHbEE=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-github/v67 v67.0.0 h1:g11NDAmfaBaCO8qYdI9fsmbaRipHNWRIU/2YGvlh4rg=
+github.com/google/go-github/v67 v67.0.0/go.mod h1:zH3K7BxjFndr9QSeFibx4lTKkYS3K9nDanoI1NjaOtY=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=