feat: Expand assessment coverage with new security, hygiene, and governance checks#11
Open
tcardosoMSFT wants to merge 6 commits into
Open
feat: Expand assessment coverage with new security, hygiene, and governance checks#11tcardosoMSFT wants to merge 6 commits into
tcardosoMSFT wants to merge 6 commits into
Conversation
- Add check_actions_security() to assess workflow permissions and allowed actions policy - Add check_deploy_keys() to audit deploy keys with write access - Add check_webhooks() to detect insecure webhook configurations - Update assess_repository_security() to call new check functions - Update export_to_csv() with new columns for all three checks - Update print_summary() with Actions/deploy keys/webhooks statistics - Include new error sources in CSV error aggregation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…ignore, mcp.json) Add check_copilot_files() function that checks for additional Copilot best practice files beyond the existing directory checks: - .github/copilot-instructions.md - AGENTS.md (root level) - .copilotignore (root level) - .github/copilot/mcp.json (MCP config) Updates include: - New CONFIG keys: copilot_files, copilot_nested_files - New CSV columns for each file check - Recommendations column suggesting missing files - Summary stats showing file adoption percentages - Parallel execution for file checks alongside dir checks Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add six new check functions for comprehensive org governance: - check_org_rulesets: Org-level rulesets and PR requirements - check_outside_collaborators: Audit external collaborators and 2FA - check_org_actions_permissions: Actions workflow permissions - check_pat_policies: Fine-grained PAT request monitoring - check_code_security_config: Code security configurations - check_copilot_settings: Copilot billing and policy settings Update assess_organization orchestrator, CSV export with new columns, and print_summary with new governance statistics sections. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
New script that checks repositories for essential hygiene files and configurations: CODEOWNERS, LICENSE, SECURITY.md, README, .gitignore, dependabot.yml, Private Vulnerability Reporting, and stale repo detection. Follows existing patterns: CONFIG dict, ThreadPoolExecutor parallel execution, rate limiting, CSV export with timestamps, and unicode status indicators. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Query org copilot/policies endpoint for premium budget limits - Fall back to billing response for budget fields - Add 'Copilot Premium Budget Set' and 'Copilot Premium Budget Limit' CSV columns - Update Copilot Status to require premium budget for pass - Add Copilot Governance section to print_summary with budget stats Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Tests cover: - Repo hygiene: CODEOWNERS, LICENSE, SECURITY.md, dependabot, stale repos - Security: Actions permissions, deploy keys, webhooks - IDP: Org rulesets, outside collaborators, Actions perms, code security configs, Copilot settings with premium budget, PAT policies - Copilot: copilot-instructions.md, AGENTS.md, .copilotignore, MCP config 50 tests, all passing with mocked gh API calls. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds 30+ new assessment checks across 4 categories, consolidating related items for easier review.
🏥 Repository Hygiene (new script: \
epo_hygiene_assessment.py)
⚡ Actions Security & Audit (extended \security_assessment.py)
🏢 Org Governance (extended \idp_assessment.py)
🤖 Copilot Best Practices (extended \�ssess_copilot_repos.py)
✅ Tests
API Endpoints Used
All checks use \gh api\ (GitHub CLI) with standard REST endpoints — no Enterprise-only requirements for core checks.