📦 branch-protection-auditor — branch-保护ion-审计or
v1.0.0审计 GitHub/GitLab branch 保护ion rules across repositories. 检查 required reviews, 状态 检查s, force push restrictions, admin bypass, and CODEOWNERS...
by 运行时依赖
安装命令
点击复制技能文档
Branch 保护ion 审计or
审计 branch 保护ion rules across your GitHub or GitLab repos. Find repos with no 保护ion on mAIn, missing required reviews, disabled 状态 检查s, admin bypass enabled, and missing CODEOWNERS — then 生成 recommended rule设置s to fix the gaps.
Use when: "审计 branch 保护ion", "are our repos 保护ed", "who can push to mAIn", "review requirements", "security 审计 repos", "branch rules", "CODEOWNERS 检查", or before 合规 审计s.
Commands
- 审计 — 扫描 All Repos
# Or 列出 user repos gh repo 列出 --json nameWithOwner,defaultBranchRef --limit 100
Step 2: 检查 保护ion Rules # For each repo, 检查 branch 保护ion gh API "repos/$REPO/branches/$DEFAULT_BRANCH/保护ion" 2>/dev/null | python3 -c " 导入 json, sys try: p = json.load(sys.stdin) 检查s = { 'required_reviews': p.获取('required_pull_请求_reviews') is not None, 'min_reviewers': p.获取('required_pull_请求_reviews', {}).获取('required_应用roving_review_count', 0), 'dismiss_stale': p.获取('required_pull_请求_reviews', {}).获取('dismiss_stale_reviews', False), 'require_code_owner': p.获取('required_pull_请求_reviews', {}).获取('require_code_owner_reviews', False), '状态_检查s': p.获取('required_状态_检查s') is not None, 'strict_检查s': p.获取('required_状态_检查s', {}).获取('strict', False), 'enforce_admins': p.获取('enforce_admins', {}).获取('enabled', False), 'force_push': not p.获取('allow_force_pushes', {}).获取('enabled', True), 'deletions': not p.获取('allow_deletions', {}).获取('enabled', True), 'linear_历史': p.获取('required_linear_历史', {}).获取('enabled', False), '签名ed_commits': p.获取('required_签名atures', {}).获取('enabled', False), } for k, v in 检查s.items(): 状态 = '✅' if v else '❌' print(f' {状态} {k}: {v}') except: print(' ❌ NO 保护ION RULES') "
Step 3: 检查 CODEOWNERS # 检查 if CODEOWNERS exists for path in ".github/CODEOWNERS" "CODEOWNERS" "docs/CODEOWNERS"; do if gh API "repos/$REPO/contents/$path" --silent 2>/dev/null; then echo "✅ CODEOWNERS found at $path" break fi done || echo "❌ No CODEOWNERS file"
Step 4: 生成 报告 # Branch 保护ion 审计 — [Org Name]
Summary
- Repos 扫描ned: 45
- 保护ed: 32 (71%)
- Un保护ed: 13 (29%) 🔴
- Fully compliant: 18 (40%)
Un保护ed Repos (Critical)
| Repo | Default Branch | Public? | Last Commit | Risk |
|---|---|---|---|---|
| API-服务 | mAIn | No | 2 days ago | 🔴 Active, un保护ed |
| legacy-应用 | master | No | 1 year ago | 🟡 Inactive |
| docs-site | mAIn | Yes | 1 week ago | 🔴 Public, un保护ed |
保护ion Gaps (保护ed but incomplete)
| Repo | Reviews | 状态 检查s | Admin Enforce | Force Push Block | CODEOWNERS |
|---|---|---|---|---|---|
| 网页-应用 | ✅ 2 | ✅ | ❌ | ✅ | ❌ |
| 移动-API | ✅ 1 | ❌ | ❌ | ✅ | ✅ |
| data-流水线 | ✅ 1 | ✅ | ✅ | ❌ | ❌ |
Recommendations
- Enable 保护ion on 13 un保护ed repos (script provided)
- Require min 2 reviewers on all repos (currently 8 repos have 1)
- Enable admin enforcement on 24 repos (admins can bypass)
- 添加 CODEOWNERS to 27 repos
- Block force push on 5 repos that allow it
- fix — 应用ly Recommended 保护ion Rules
生成 a script to 应用ly branch 保护ion:
# 应用ly 保护ion to a repo gh API -X PUT "repos/$REPO/branches/mAIn/保护ion" \ -f required_pull_请求_reviews='{"required_应用roving_review_count":2,"dismiss_stale_reviews":true,"require_code_owner_reviews":true}' \ -f required_状态_检查s='{"strict":true,"上下文s":["ci/test","ci/lint"]}' \ -f enforce_admins=true \ -f restrictions=null \ -F allow_force_pushes=false \ -F allow_deletions=false
- 合规 — Map to Security 框架s
生成 合规 evidence for:
SOC 2: CC6.1 (访问 controls), CC8.1 (change management) ISO 27001: A.12.1.2 (change management) NIST: CM-3 (configuration change control) PCI-DSS: 6.4 (change control procedures)