answering: "Who has access to my GitHub organisation - and why?"
gu:who? is a simple service for auditing the members of your GitHub organisation. It was written by The Guardian to get their 200-strong GitHub organisation under control, resulting in 100% of membership being accounted for and 98% Two-Factor-Auth enabled, up from 54% - you can read more about it in this Guardian Developers blogpost.
If your organisation is large - and you have 3rd parties, contractors, etc who you need to give access to your code - it can be very difficult to work out whether some accounts are legitimately members of your GitHub organisation or not. Accounts which don't have many details set in their profile are difficult to identify. When employees leave, how sure are you that you'll remember to remove their account?
gu:who? aims to make dealing with this all a little bit more easy... it aims to ensure all users in your organisation meet some basic requirements, and it makes it easy to see where requirements aren't being met.
It does this by using GitHub as its user-interface: GitHub issues and simple text files stored in GitHub 'people' repo held under your org- no other database or spreadsheet, no Active Directory or LDAP.
Just the tools the developer already uses: GitHub
These requirements are intended to make it easier to manage the user accounts and work out if they should be in your organisation or not:
You can start a local application at http://localhost:9000 with the command:
$ export APPLICATION_SECRET=<secret>
$ sbt start
Well, obviously, it would be the ridiculously suitable Riddlocat by @cameronmcefee, but we can't use it for legal reasons laid out on the GitHub Octodex FAQ.
You'll just have to imagine the logo there.
If you're interested in Git and security, you may also be interested in
The BFG Repo-Cleaner, a
simpler, faster alternative to
git-filter-branch
for cleansing bad data out of your Git repository -
ie Passwords, Credentials & other private or unwanted data.
You might also be interested in Prout, to tell you when your pull requests are reaching Production.