GitHub Vulnerability Auditor is a command-line tool to audit your GitHub repositories for GitHub Security Advisories ( GHSA). It takes in a list of GitHub Security Advisories and a time threshold in months and returns a CSV and JSON file containing all of your repositories affected by the list of GHSA's you provided, as well as the last time the repository received a commit to its default branch and whether the last commit is older than the time threshold you provided.
Download the latest binaries from this link: https://github.com/lindluni/warden-vulnerability-auditor/releases
Example Usage:
Usage: vulnerability-auditor [options]
Options:
-V, --version output the version number
-t, --token <string> GitHub personal access token
-o, --org <string> GitHub organization
-h, --threshold <number> Months since last commit
-i, --ids <items> Comma-separated list of GHSA IDs
-u, --url <string> GitHub Enterprise URL
--help display help for commandvulnerability-auditor -t fake-token -o fake-org -h 12 -i GHSA-1234,GHSA-5678
You may set the --url flag to use GitHub Enterprise instead of GitHub.com.
Will retrieve all repositories in the fake-org organization that contain the vulnerabilities GHSA-1234 and GHSA-5678 and will flag those repos that have NOT been updated in the last 12 months.
NOTE: You may retrieve the GHSA IDs from the GitHub Security Advisory page By selecting the vulnerability and copy-pasting the GHSA ID from the URL.