gh-repo-security-auditlisted

# GitHub Repo Security Posture Audit (OpenSSF-aligned) Audit every repo in an account against OpenSSF Scorecard-style checks and report a clear posture. **Read-only by default.** The single optional mutation is enabling Dependabot alerts (a pure security gain). Everything else is reported as a human-gated recommendation. See `references/openssf-checks.md` for per-check rationale + sources. ## Setup Check Run `gh auth status` — if not authenticated, output `⚠️ gh CLI not authenticated. Run: gh auth login` and stop. ## Step 1: Resolve scope - `--owner <name>` or default `OWNER=$(gh api user --jq .login)`. - Repos: `gh repo list "$OWNER" --no-archived --limit 200 --json name --jq '.[].name'`. ## Step 2: Per-repo checks (GET-only) For each repo, gather in as few calls as possible: ```bash # one snapshot of the repo object: visibility, default branch, secret scanning gh api "repos/$OWNER/$REPO" \ --jq '[.visibility, .default_branch, (.security_and_analysis.secret_scanning.status // "n/a")] | @tsv' gh api "repos/$OWNER/$REPO/actions/permissions/workflow" --jq '.default_workflow_permissions' # read|write gh api "repos/$OWNER/$REPO/actions/permissions" --jq '.allowed_actions // "all"' # all|local_only|selected gh api "repos/$OWNER/$REPO/branches/$DEFAULT_BRANCH/protection" >/dev/null 2>&1 && echo yes || echo none gh api "repos/$OWNER/$REPO/vulnerability-alerts" >/dev/null 2>&1 && echo on || echo off ``` ## Step 3: Severity model - **WARN** (fixable