Github Analyzer
February 9, 2026 ยท View on GitHub
Github Analyzer
Audits a GitHub organization for potential security issues. The tool is currently in pre-alpha stage and only supports limited functionality, however we will be actively adding checks in the upcoming months, and welcome feature requests or contributions! Once the analysis is complete, a static HTML with the summary of the results is rendered in localhost:3000 as shown below:

Available Checks
| Name | Category | Severity | Resource Affected |
|---|---|---|---|
| Application restrictions disabled | Least Privilege | High | Organization |
| Insecure Webhook payload URL | Information Disclosure | High | Webhook |
| Advanced security disabled for new repositories | Tooling and Automation Configuration | Medium | Organization |
| Secret scanning disabled for new repositories | Tooling and Automation Configuration | Medium | Organization |
| Organization 2FA disabled | Authentication | Medium | Organization |
| Users without 2FA configured | Authentication | Low | User Account |
| Permissions overview for users | Least Privilege | Informational | User Account |
| OAuth application summary | Least Privilege | Informational | Organization |
Sample Output
For each issue identified, a JSON with associated information will be generated. A sample output snippet is as follows:
...
{
"id": "CONFIG_AS_1",
"name": "Secret scanning disabled for new repositories",
"severity": 3,
"category": "Information disclosure to untrusted parties",
"tags": [
"GitHub Advanced Security feature"
],
"description": "Secret scanning disabled for org testorg",
"resource": [
{
"id": "testorg",
"kind": "Organization"
}
],
"cwes": [
319
],
"remediation": "Pleasee see https://docs.github.com/en/github-ae@latest/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories for how to enable secret scanning in your repositories"
},
{
"id": "AUTH_2FA_2",
"name": "Users without 2FA configured",
"severity": 2,
"category": "Authentication",
"description": "The following collaborators have not enabled 2FA: testuser1, testuser2",
"resource": [
{
"id": "testuser1",
"kind": "UserAccount"
},
{
"id": "testuser2",
"kind": "UserAccount"
}
],
"cwes": [
308
],
"remediation": "Please see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication for steps on how to configure 2FA for individual accounts"
}
...
How to run
You can see available options via the --help flag.
Running locally
- Install with:
go install -v github.com/crashappsec/github-analyzer/cmd/github-analyzer@latest - Run with:
$GOPATH/bin/github-analyzer \ --organization <your org name> \ --token "$GH_SECURITY_AUDITOR_TOKEN"
Running using Docker
-
After cloning the repo, build the container using:
docker compose build --no-cache -
Run
docker compose run \ --rm --service-ports \ github-analyzer \ --organization <your org name> \ --output output \ --token "$GH_SECURITY_AUDITOR_TOKEN"
Permissions
For API-based based checks, you need to pass in GitHub Token (either personal access token (PAT) or token derived from GitHub app installation) with the appropriate permissions. Example usage:
github-analyzer \
--organization <your org name> \
--token "$GH_SECURITY_AUDITOR_TOKEN"
See our wiki for instructions on setting up a token to be used with the github-analyzer.
For experimental scraping-based checks, you need to pass in your username and password, as well your two factor authentication one-time-password, as needed. Example usage:
github-analyzer \
--organization crashappsec \
--token "$GH_SECURITY_AUDITOR_TOKEN" \
--userPermissionStats \
--enableScraping \
--username "$GH_SECURITY_AUDITOR_USERNAME" \
--password "$GH_SECURITY_AUDITOR_PASSWORD" \
--otpSeed "$GH_SECURITY_AUDITOR_OTP_SEED"
See our wiki for instructions on setting up a token to be used with the analyzer.
Credits
Project was originally ported from Mike de Libero's auditor with the author's permission.
Using GitHub App Instead of Personal Access Token
For better security, it is recommended to use a GitHub App access token instead of a personal access token when running this tool internally within an organization.
Steps to generate access token using GitHub App
-
Go to GitHub Developer Settings: https://github.com/settings/apps
-
Click New GitHub App
-
Fill required details:
- App name
- Homepage URL (can be your org URL)
- Disable webhook (not required)
-
Set permissions: Repository permissions:
- Metadata: Read
- Contents: Read
- Administration: Read
Organization permissions:
- Members: Read
- Administration: Read
-
Click Create GitHub App
-
Generate a private key (.pem file)
-
Install the GitHub App to your organization
-
Generate a JWT token using the App ID and private key.
-
Exchange JWT for installation access token using GitHub API: https://api.github.com/app/installations/{installation_id}/access_tokens
-
Use this access token when running github-analyzer internally.
This approach avoids using personal access tokens and improves organizational security.