概要
天下のMicrosft様から、このようなリポジトリが公開されました。
GitHubの設定がベストプラクティスに沿っているか?をorganizationなど横断してスキャンしてくれるCLIツールだそうです。
実際自分の組織の中でも設定がばらばらだったり、急ぎでなんとなく設定しているものも多そうだったので、試してみようかと思います。
GitHub Quick Reviewとは
上記でも述べたとおり、GitHubの設定周りをスキャンしてくれるCLIツールです。以下のような項目をチェックしてくれるよう。
| 診断項目 | 診断内容例 |
|---|---|
| Security | Dependabotのアラート、Secret scanningなど |
| Access Control | 2FA認証、SAML SSOなど |
| Branch Protection | レビューの必須、rulesetなど |
| Copilot | Dependabotのアラート、Secret scanningなど |
| Governance | IP制限、リポジトリ作成時のポリシーなど |
| Audit Log | 監査ログのストリーミング設定など |
| Community | Issueのテンプレート、ガイドなど |
| Actions | ワークフローの権限、ランナーの設定など |
| Dependencies | Dependabotのバージョンやセキュリティアップデートなど |
| Metadata | リポジトリの説明など |
また診断結果はMarkdown, Excel, JSONの形式で出力してくれるそうです。
導入
Windows環境で導入していきたいと思います。
インストールコマンド
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/microsoft/ghqr/main/scripts/install.ps1'))
アクセストークンの発行
以下のアクセス許可を持つアクセストークンを発行して、環境変数に登録しておきます。
GH_TOKENもしくはGITHUB_TOKENという名称で登録していればよさげです。
| Scope |
|---|
read:org |
read:enterprise |
repo |
read:audit_log |
read:user |
copilot |
使ってみる
導入まで完了したら、以下のコマンドでスキャンできます。
今回は仮で作ったorganizationのリポジトリに対してスキャン。デフォルトでは、その人の所属しているenterprizeやorganizationをすべて見に行っているようです。
PS C:\Users\papa> .\ghqr scan
2026-05-05T11:26:25+09:00 INF Scan started stages=9
2026-05-05T11:26:25+09:00 INF Initializing scan...
2026-05-05T11:26:26+09:00 INF Authenticated to GitHub user=papaHasuo
2026-05-05T11:26:26+09:00 INF Discovering enterprises for authenticated user...
2026-05-05T11:26:26+09:00 INF No enterprises found for the authenticated user
2026-05-05T11:26:26+09:00 INF Skipping enterprise scan - no enterprises specified (use --enterprise or -e flag)
2026-05-05T11:26:26+09:00 INF Discovering organizations for authenticated user...
2026-05-05T11:26:26+09:00 INF Organizations discovered count=1 organizations=["papa-hasuo"]
2026-05-05T11:26:26+09:00 INF Starting organization scan count=1
2026-05-05T11:26:26+09:00 INF Scanning organization organization=papa-hasuo
2026-05-05T11:26:26+09:00 INF Starting organization scan organization=papa-hasuo
2026-05-05T11:26:28+09:00 INF Organization scan completed organization=papa-hasuo
2026-05-05T11:26:28+09:00 INF Organization scan completed successfully organization=papa-hasuo
2026-05-05T11:26:28+09:00 INF Organization scan completed
2026-05-05T11:26:28+09:00 INF Fetching organization repository names via GraphQL org=papa-hasuo
2026-05-05T11:26:28+09:00 INF Scanning repositories in batches batch_size=5 count=1 org=papa-hasuo workers=5
2026-05-05T11:26:28+09:00 INF Enriching repositories with ruleset data via GraphQL (batched) chunks=1 org=papa-hasuo repos=1 workers=10
2026-05-05T11:26:29+09:00 INF Enriching repository current=1 repository=papa-hasuo/test-scan total=1
2026-05-05T11:26:29+09:00 INF Org repository scan complete org=papa-hasuo scanned=1
2026-05-05T11:26:29+09:00 INF Running best-practice evaluations...
2026-05-05T11:26:29+09:00 INF Evaluations completed
2026-05-05T11:26:29+09:00 INF Rendering reports... results=12
2026-05-05T11:26:29+09:00 INF JSON report written path=ghqr_20260505_112625.json
2026-05-05T11:26:29+09:00 INF Generating Excel report: ghqr_20260505_112625.xlsx
2026-05-05T11:26:29+09:00 INF Excel report written path=ghqr_20260505_112625.xlsx
2026-05-05T11:26:29+09:00 INF Markdown report written path=ghqr_20260505_112625.md
2026-05-05T11:26:29+09:00 INF Scan summary enterprises=0 organizations=1 output=ghqr_20260505_112625 repositories=1
2026-05-05T11:26:29+09:00 INF Scan completed in 4s
2026-05-05T11:26:29+09:00 INF Scan completed
実行結果
こんな形で、優先度やカテゴリ別でおすすめ設定事項を洗い出してくれました。今回は空のリポジトリで実行したので何も設定されていない系の指摘が多いです。
ちなみに、以下コマンドで推奨事項の一覧を確認することもできました。
PS C:\Users\papa> .\ghqr list-recommendations
ID SCOPE CATEGORY SEVERITY TITLE
────────────────── ────────────── ────────────────────── ────────── ─────────────────────────────────────────────────────
ent-alert-001 enterprise dependencies critical Critical Dependabot alerts open across enterprise
ent-alert-002 enterprise dependencies high High-severity Dependabot alerts open across enterprise
ent-alert-003 enterprise security high Code scanning alerts open across enterprise
ent-alert-004 enterprise security critical Secret scanning alerts open across enterprise
ent-ghas-001 enterprise security high GitHub Advanced Security not enabled at enterprise level
ent-ghas-002 enterprise security high Secret scanning not enabled as enterprise default
ent-ghas-003 enterprise security high Secret scanning push protection not enabled as enterprise default
ent-ghas-004 enterprise dependencies high Dependabot alerts not enabled as enterprise default
ent-ghas-005 enterprise dependencies medium Dependabot security updates not enabled as enterprise default
ent-ghas-006 enterprise dependencies medium Dependency graph not enabled as enterprise default
ent-ghas-007 enterprise security low Secret scanning for non-provider patterns not enabled as enterprise default
ent-log-001 enterprise security critical Suspicious audit log events detected
ent-log-002 enterprise security high Audit log streaming configuration cannot be verified
org-act-001 organization actions high Default GITHUB_TOKEN permission is write
org-act-002 organization actions high GitHub Actions allows all third-party actions
org-act-003 organization actions low Actions restricted to local repositories only
org-alert-001 organization dependencies critical Critical Dependabot alerts open across organization
org-alert-002 organization dependencies high High-severity Dependabot alerts open across organization
org-alert-003 organization dependencies medium Open Dependabot alerts across organization
org-alert-004 organization security high Code scanning alerts open across organization
org-alert-005 organization security critical Secret scanning alerts open across organization
org-cop-001 organization copilot_cost medium Copilot seats assigned to all organization members
org-cop-002 organization copilot_security high Copilot allowed to suggest code matching public repositories
org-cop-003 organization copilot_cost medium High percentage of inactive Copilot seats
org-def-001 organization dependencies high Dependabot alerts not enabled by default for new repositories
org-def-002 organization dependencies medium Dependabot security updates not enabled by default for new repositories
org-def-003 organization dependencies medium Dependency graph not enabled by default for new repositories
org-def-004 organization security high Secret scanning not enabled by default for new repositories
org-def-005 organization security high Secret scanning push protection not enabled by default for new repositories
org-def-006 organization security medium GitHub Advanced Security not enabled by default for new repositories
org-sec-001 organization security high Two-factor authentication not required
org-sec-002 organization security medium Web commit signoff not required
org-sec-003 organization access_control high Default repository permission set to admin
org-sec-004 organization access_control medium Members can create public repositories
org-sec-005 organization access_control medium No security manager team assigned
org-sec-006 organization security info EMU enabled: two-factor authentication is controlled by your identity provider
repo-acc-001 repository access_control high Excessive admin collaborators
repo-acc-002 repository access_control medium Direct collaborators instead of teams
repo-acc-003 repository security high Deploy keys with write access
repo-acc-004 repository security medium Unverified deploy keys
repo-acc-005 repository security medium Deploy keys present — consider GitHub Apps or OIDC
repo-bp-001 repository branch_protection critical No branch protection configured on default branch
repo-bp-002 repository branch_protection critical No approving reviews required before merge
repo-bp-003 repository branch_protection medium Only 1 approving review required
repo-bp-004 repository branch_protection high Stale reviews not dismissed on new commits
repo-bp-005 repository branch_protection medium Code owner review not required
repo-bp-006 repository branch_protection critical Pull request reviews not configured
repo-bp-007 repository branch_protection high Strict status checks not enabled
repo-bp-008 repository branch_protection high No specific status checks required
repo-bp-009 repository branch_protection high No required status checks configured
repo-bp-010 repository branch_protection critical Force pushes allowed on protected branch
repo-bp-011 repository branch_protection high Branch deletion allowed on protected branch
repo-bp-012 repository branch_protection medium Signed commits not required
repo-bp-013 repository branch_protection low Linear history not required
repo-bp-014 repository branch_protection info Branch protected by repository rulesets (not legacy branch protection)
repo-comm-001 repository community info GitHub Discussions not enabled
repo-feat-001 repository features low Issues and Discussions both disabled
repo-feat-002 repository maintenance low Auto-delete branches on merge not enabled
repo-meta-001 repository community medium Repository has no description
repo-meta-002 repository community low Repository has no topics
repo-meta-003 repository maintenance low Repository appears dormant but is not archived
repo-sec-001 repository security high Dependabot alerts not enabled
repo-sec-002 repository security critical Critical Dependabot alerts open
repo-sec-003 repository security high High-severity Dependabot alerts open
repo-sec-004 repository security low No SECURITY.md file found
repo-sec-005 repository access_control medium No CODEOWNERS file found
repo-sec-006 repository security medium Dependabot alerts enabled but no dependabot.yml found
repo-sec-007 repository security high Dependabot not configured
repo-sec-008 repository security high Code scanning (CodeQL) not configured
repo-sec-009 repository security info No custom CodeQL configuration file
70 recommendation(s) shown (total in registry: 70)
感想
優先度含めて今がどうおかしいか、を客観的に判断できるツールを公式が出してくれるのは大変ありがたいですね。実際不適切な設定なんていくらでもありそうなので、どこから是正していくかの指標になりそうです。
ちなみにこんなツイートもありました。
(なんで私がCLIでGitHubのリポジトリをスキャンしなきゃならんのだ?GitHubの機能として組み込まれるべきでは?の意)
それはそうすぎる...早く組み込んでくださいGitHubさん。