Add github_organization_credential_authorization table#552
Add github_organization_credential_authorization table#552Kanthi-Hegde wants to merge 2 commits into
Conversation
cbruno10
left a comment
There was a problem hiding this comment.
@Kanthi-Hegde Thanks for raising this PR! I've left a few minor suggestions.
Also, can you please share the results of the example queries (just for postgres is fine) in a PR comment so we can see the shape of real results? Thanks!
| KeyColumns: []*plugin.KeyColumn{ | ||
| {Name: "organization", Require: plugin.Required}, | ||
| }, | ||
| ShouldIgnoreError: isNotFoundError([]string{"404", "403"}), |
There was a problem hiding this comment.
Is there a reason we are ignoring 403 errors? I think ignoring these by default for the table is usually not desired behaviour, as the user wouldn't be aware of missing permissions.
| org := d.EqualsQuals["organization"].GetStringValue() | ||
|
|
||
| // Empty check | ||
| if org == "" { |
There was a problem hiding this comment.
Do we ever hit this if organization is a required qual for queries?
|
|
||
| The `github_organization_credential_authorization` table provides insights into the classic personal access tokens authorized against a GitHub organization. As a security or compliance engineer, use this table to inventory the classic PATs that can reach your organization's resources, review the scopes they have been granted, and identify tokens that are stale, never used, or approaching expiration. The same endpoint also returns authorized SSH keys, which can be distinguished using the `credential_type` column. | ||
|
|
||
| To query this table, the credential must be created under an organization owner. Classic personal access tokens require the `admin:org` scope (specifically `read:org`). |
There was a problem hiding this comment.
| To query this table, the credential must be created under an organization owner. Classic personal access tokens require the `admin:org` scope (specifically `read:org`). | |
| To query this table, the credential must be created under an organization owner. Classic personal access tokens require the `admin:org` scope. |
From what I can see in GitHub's docs, the token needs admin:org specifically. Is there a reason to mention read:org though?
Description
The plugin currently has no way to query classic personal access tokens (PATs) that members have authorized against an organization. This PR adds a new
github_organization_credential_authorizationtable to close that gap.It wraps GitHub's List SAML SSO authorizations for an organization REST API (
GET /orgs/{org}/credential-authorizations), which is the only API GitHub exposes for classic PATs at the org level. The same endpoint also returns authorized SSH keys, distinguishable via thecredential_typecolumn.What's included
github_organization_credential_authorizationplugin.goColumns
login,credential_id,token_last_eight,scopes,credential_type,credential_authorized_at,credential_accessed_at,authorized_credential_id,authorized_credential_note,authorized_credential_expires_at,authorized_credential_title,fingerprint.Notes
organizationqualifier is required.admin:org) and is only available for organizations on GitHub Enterprise Cloud with SAML SSO enabled; other orgs return no rows. A403/404is treated as an empty result, consistent with other org-scoped tables in this plugin.