Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Grant Security Alert Permission on GitHub Org Script
  1. Set your Cookie header value in Line 3 of give-access.sh
  2. Set the team IDs that will have access on Line 24. You can add multiple teams.
  3. Edit the repos.txt file with one repository per line
  4. Make sure jq curl and pup are installed. (pup is available at https://github.com/EricChiang/pup)
  5. Run the script (./give-access.sh). A response code of 302 indicates the change was made successfully for that repo. Anything else is failure.

The only 3 cookies that you need to set are: __Host-user_session_same_site, user_session, _gh_sess

The values for user_session and _gh_sess are the same.

#!/bin/bash
COOKIE=""
function give_access() {
# Get Authenticity Token
curl --silent --request GET \
--url "https://github.com/$1/settings/security_analysis" \
-H "cookie: $COOKIE" \ > /tmp/repo-settings.html
CSRF_TOKEN=$(cat /tmp/repo-settings.html | pup '.js-protected-branch-settings input[name=authenticity_token] attr{value}')
# echo "Got authenticity_token as $CSRF_TOKEN"
token=$(printf %s "$CSRF_TOKEN"|jq -sRr @uri)
# echo $token
sleep 0.5
CURL_STATUS=$(curl "https://github.com/$1/settings/alerts" \
-H 'authority: github.com' \
-H 'origin: https://github.com' \
-H 'content-type: application/x-www-form-urlencoded' \
-H "referer: https://github.com/$1/settings/security_analysis" \
-H "cookie: $COOKIE" \
--data-raw "_method=put&authenticity_token=$token&vulnerability_team_ids%5B%5D=1234&vulnerability_team_ids%5B%5D=5678" --silent \
-o /dev/null --write-out '%{http_code}\n' \
--compressed)
echo "$CURL_STATUS $1"
}
while IFS= read -r LINE; do
give_access $LINE
done < repos.txt
org/repo1
org/repo2
org/repo3
@Rishi16royy
Copy link

Rishi16royy commented Nov 26, 2021

@captn3m0 I am getting 302 after running this script but when I go to github UI then i don't see the desired team have access to security alerts.

@captn3m0
Copy link
Author

captn3m0 commented Nov 26, 2021

Ran this a while back so i can't say for sure. Make the same change from the UI and see what's the difference in the final curl command? Maybe GitHub has changed things since in the UI.

@Rishi16royy
Copy link

Rishi16royy commented Nov 26, 2021

It is working now. We need to pass the exact userID instead of teamID.

@Rishi16royy
Copy link

Rishi16royy commented Nov 26, 2021

Thanks for writing this script. It helped a lot. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment