tobocop2/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Usage

./audit.bash <repo name> <org name>

Will output all logs to the current working directory grouped by github workflow id
Will additionally output all of the unique shell commands ran on the affected date range
A manual review of the unique commands is then required to conduct the audit.
Tools


bash
gnu core utils
gh
jq
jar

Note

This script has no error handling at all and is just a one off tool for the job
For future workflow auditing, this should accept a date range too.

  
## audit.bash
#!/bin/bash

# TODO This script has absolutely zero error handling

# hard code below for some defaults if needed
REPO_NAME=
ORG_NAME=


to_timestamp() {
   date --date="$1" +%s;
}

audit() {
   local repo_name="${1:-$REPO_NAME}"
   local org_name="${2:-$ORG_NAME}"
   local start_date=`to_timestamp '2021-02-03'`
   local end_date=`to_timestamp '2021-02-06'`
   local actions_base_url="repos/$org_name/$repo_name/actions/runs"
   local total_count=`gh api "$actions_base_url" | jq '.total_count'`
   local elements_per_page=100
   local total_pages=$((total_count/elements_per_page+1))

   for page_num in `seq 1 $total_pages`
   do
      local workflows=$(gh api "$actions_base_url?page=$page_num&per_page=$elements_per_page" | jq -r '.workflow_runs')
      for row in $(echo "${workflows}" | jq -r '.[] | @base64'); do
         _jq() {
            echo ${row} | base64 --decode | jq -r ${1}
         }
         local log_created_date=$(echo $(_jq '.created_at'))
         local created_at_ts=$(to_timestamp $log_created_date)
         if [[ $created_at_ts -gt $end_date ]]; then
            continue
         elif [[ $created_at_ts -lt $start_date ]]; then
            break
         fi
         local run_id=`echo $(_jq '.id')`
         local output_dir="logs/$repo_name/$run_id"
         echo "Downloading workflow log for run: $run_id for repo: $repo_name to $output_dir"
         mkdir -p $output_dir
         local cwd=`pwd`
         cd $output_dir
         gh api "$actions_base_url/$run_id/logs" | jar xvf /dev/stdin
         cd $cwd
      done
   done

   local unique_cmd_out="logs/$repo_name/unique_cmds.sh"
   shopt -s globstar
   echo "Parsing out all shell commands to $unique_cmd_out"
   grep "\[command\]" logs/**/*.txt | sed 's/^.*]//' | sort -u > $unique_cmd_out
}

audit $@
	#!/bin/bash

	# TODO This script has absolutely zero error handling

	# hard code below for some defaults if needed
	REPO_NAME=
	ORG_NAME=


	to_timestamp() {
	date --date="$1" +%s;
	}

	audit() {
	local repo_name="${1:-$REPO_NAME}"
	local org_name="${2:-$ORG_NAME}"
	local start_date=`to_timestamp '2021-02-03'`
	local end_date=`to_timestamp '2021-02-06'`
	local actions_base_url="repos/$org_name/$repo_name/actions/runs"
	local total_count=`gh api "$actions_base_url" \| jq '.total_count'`
	local elements_per_page=100
	local total_pages=$((total_count/elements_per_page+1))

	for page_num in `seq 1 $total_pages`
	do
	local workflows=$(gh api "$actions_base_url?page=$page_num&per_page=$elements_per_page" \| jq -r '.workflow_runs')
	for row in $(echo "${workflows}" \| jq -r '.[] \| @base64'); do
	_jq() {
	echo ${row} \| base64 --decode \| jq -r ${1}
	}
	local log_created_date=$(echo $(_jq '.created_at'))
	local created_at_ts=$(to_timestamp $log_created_date)
	if [[ $created_at_ts -gt $end_date ]]; then
	continue
	elif [[ $created_at_ts -lt $start_date ]]; then
	break
	fi
	local run_id=`echo $(_jq '.id')`
	local output_dir="logs/$repo_name/$run_id"
	echo "Downloading workflow log for run: $run_id for repo: $repo_name to $output_dir"
	mkdir -p $output_dir
	local cwd=`pwd`
	cd $output_dir
	gh api "$actions_base_url/$run_id/logs" \| jar xvf /dev/stdin
	cd $cwd
	done
	done

	local unique_cmd_out="logs/$repo_name/unique_cmds.sh"
	shopt -s globstar
	echo "Parsing out all shell commands to $unique_cmd_out"
	grep "\[command\]" logs/*/.txt \| sed 's/^.*]//' \| sort -u > $unique_cmd_out
	}

	audit $@