search

CycodeLabs / raven

CI/CD Security Analyzer
Apache License 2.0
611 stars 32 forks source link

feat: added support for scanning any account #168

Closed elad-pticha closed 8 months ago

elad-pticha commented 9 months ago

Changed org subcommand to account. This feature allows us to determine if each account is a user or organization and to scan its GitHub Actions.

Now we iterate over each account:

for account in Config.account_name:
        generator = get_account_generator(account)

        for repo in generator:
            download_workflows_and_actions(repo)

and determine its type:

account_info = get_account_info(account_name=account_name)
    account_type = account_info.get("type")

    if account_type == "User":
        log.info(f"[+] Scanning user: {account_name}")
        return get_user_repository_generator(account_name)

    elif account_type == "Organization":
        log.info(f"[+] Scanning organization: {account_name}")
        return get_organization_repository_generator(account_name)

    else:
        log.error(f"[-] Failed to get account type for {account_name}")
        return None

From there, we continue the same. This structure eliminates duplicate code and allows the user to scan in a single raven command for both organizations (like we had before) and user repositories.

Usage:

raven download account --account-name ravendemo --account-name $PERSONAL_ACCOUNT --token $GITHUB_TOKEN
elad-pticha commented 8 months ago

This solution allows users to scan different types of accounts without specifying if it is an organization or a user account. Requiring users to select the account type is unnecessary and will block us from scanning different versions in a single command.

I think this is the best solution as we don't care if we scan an organization or a user account as we want RAVEN to scan its repositories.

Command like this: raven download account --token $GITHUB_TOKEN --account-name userAccount --account-name microsoft

This makes it as easy as possible to run RAVEN as you don't even have to check if a specific account is org type or user type, RAVEN just does this in the backend.

@oreenlivnicode WDYT?

oreenlivnicode commented 8 months ago

I got it @elad-pticha. I saw that github themselves use the terminology account. So I am ok with it.