{"skill":{"slug":"auditclaw-github","displayName":"AuditClaw Github","summary":"GitHub compliance evidence collection for auditclaw-grc. 9 read-only checks covering branch protection, secret scanning, 2FA, Dependabot, deploy keys, audit...","description":"---\nname: auditclaw-github\ndescription: GitHub compliance evidence collection for auditclaw-grc. 9 read-only checks covering branch protection, secret scanning, 2FA, Dependabot, deploy keys, audit logs, webhooks, CODEOWNERS, and CI/CD security.\nversion: 1.0.1\nuser-invocable: true\nhomepage: https://www.auditclaw.ai\nsource: https://github.com/avansaber/auditclaw-github\nmetadata: {\"openclaw\":{\"type\":\"executable\",\"install\":{\"pip\":\"scripts/requirements.txt\"},\"requires\":{\"bins\":[\"python3\"],\"env\":[\"GITHUB_TOKEN\"]}}}\n---\n# AuditClaw GitHub\n\nCompanion skill for auditclaw-grc. Collects compliance evidence from GitHub organizations using read-only API calls.\n\n**9 checks | Read-only token permissions | Evidence stored in shared GRC database**\n\n## Security Model\n- **Read-only access**: Uses fine-grained personal access token with read-only repository and organization permissions. No write access.\n- **Credentials**: Uses `GITHUB_TOKEN` env var. No credentials stored by this skill.\n- **Dependencies**: `PyGithub==2.8.1` (pinned)\n- **Data flow**: Check results stored as evidence in `~/.openclaw/grc/compliance.sqlite` via auditclaw-grc\n\n## Prerequisites\n- GitHub personal access token with read-only permissions (or classic token with `repo`, `read:org`, `security_events`)\n- Set as `GITHUB_TOKEN` environment variable\n- `pip install -r scripts/requirements.txt`\n- auditclaw-grc skill installed and initialized\n\n## Commands\n- \"Run GitHub evidence sweep\": Run all checks, store results in GRC database\n- \"Check branch protection\": Verify branch protection rules\n- \"Check secret scanning\": Review secret scanning alerts\n- \"Check Dependabot alerts\": Review dependency vulnerability alerts\n- \"Show GitHub integration health\": Last sync, errors, evidence count\n\n## Usage\nAll evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite\nvia the auditclaw-grc skill's db_query.py script.\n\nTo run a full evidence sweep:\n```\npython3 scripts/github_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --org my-org --all\n```\n\nTo run specific checks:\n```\npython3 scripts/github_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --org my-org --checks branch_protection,secret_scanning\n```\n\n## Check Categories (9)\n\n| Check | What It Verifies |\n|-------|-----------------|\n| **branch_protection** | Default branch protection rules, required reviews, status checks |\n| **secret_scanning** | Secret scanning enabled, active alert count |\n| **dependabot** | Dependabot alerts by severity, auto-fix PRs |\n| **two_factor** | Organization-level 2FA enforcement |\n| **deploy_keys** | Deploy key audit, read-only vs read-write |\n| **audit_log** | Admin audit log accessibility |\n| **webhooks** | Webhook security (HTTPS, secrets configured) |\n| **codeowners** | CODEOWNERS file present in repositories |\n| **ci_cd** | GitHub Actions security, workflow permissions |\n\n## Evidence Storage\nEach check produces evidence items stored with:\n- `source: \"github\"`\n- `type: \"automated\"`\n- `control_id`: Mapped to relevant SOC2/ISO/HIPAA controls\n- `description`: Human-readable finding summary\n- `file_content`: JSON details of the check result\n\n## Setup Guide\n\nWhen a user asks to set up GitHub integration, guide them through these steps:\n\n### Step 1: Create Fine-Grained Personal Access Token\nDirect user to: GitHub → Settings → Developer Settings → Personal Access Tokens → Fine-grained tokens\n\n### Step 2: Configure Token Permissions\n- Name: `auditclaw-grc`\n- Expiration: 90 days (recommended)\n- Resource owner: Select their organization\n- Repository access: All repositories (or specific repos)\n- Permissions (all READ-ONLY):\n  - **Repository:** Contents, Administration, Secret scanning alerts, Dependabot alerts, Code scanning alerts, Actions, Webhooks\n  - **Organization:** Members (read), Administration (read)\n\n**Classic token alternative:** If fine-grained tokens unavailable, use scopes: `repo`, `read:org`, `security_events`\n\n### Step 3: Set Token\nSet as GITHUB_TOKEN environment variable.\n\n### Step 4: Verify Connection\nRun: `python3 {baseDir}/scripts/github_evidence.py --test-connection`\n\nThe exact permissions are documented in `scripts/github-permissions.json`. Show with:\n  python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider github\n","tags":{"latest":"1.0.2"},"stats":{"comments":0,"downloads":218,"installsAllTime":0,"installsCurrent":0,"stars":0,"versions":3},"createdAt":1771203968318,"updatedAt":1778491552996},"latestVersion":{"version":"1.0.2","createdAt":1771212615323,"changelog":"- Added homepage and source links to skill metadata.\n- Updated metadata to specify install instructions via pip and requirements file.\n- No code or functionality changes.","license":null},"metadata":{"setup":[{"key":"GITHUB_TOKEN","required":true}],"os":null,"systems":null},"owner":{"handle":"mailnike","userId":"s17ee5y8kxe1zfx1t7te9wcgzx83j215","displayName":"Nikhil Jathar","image":"https://avatars.githubusercontent.com/u/22786232?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1779969001331}}