cnspec scan github org <org_name> --token <token_value> automatically traverses all org repositories hitting API rate limits

[estenrye]

What is not working as you expected it?

When scanning a GitHub Organization, cnspec automatically scans all of the organization's repositories. This is not helpful when you have many repos in the organization because after about 5 repos you hit the GitHub API Rate limits and the scan errors out.

Where on the platform does it happen?

Mac Client and GitHub Actions.

How do we replicate the issue?

Our organization has about 172 repositories. The scan starts hitting the rate limit after about 5 repositories.

name: Scan GitHub organization
on:
  #push:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  scan-github-org:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: mondoohq/actions/github-org@v1.0.0
        env:
          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          organization: platform9
      - uses: mondoohq/actions/github-org@v1.0.0
        env:
          MONDOO_CONFIG_BASE64: ${{ secrets.MONDOO_SERVICE_ACCOUNT }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          organization: arlon

Expected behavior (i.e. solution)

Only the Organization itself should be scanned by default. An option could be provided to traverse the organization's repositories.

[chris-rock]

@estenrye Thank you for the feedback, you can restrict the discovery to organizations via:

cnspec scan github org mondoohq --discover organization 

@tas50 I think we should not do auto-discovery for all repos right now and make it an opt-in for users at this point. Thoughts?

[tas50]

Unless we have a magic bullet to solve the API rate limiting problem, I'm all for making the discovery of repos optional.

[sontek]

The rate limits are fairly well documented so it could do back-offs and delays to discover all within the limits of github has set. It would slow the call down but would make it successful.

There is an endpoint to hit to check the limits as well:

https://api.github.com/rate_limit https://docs.github.com/en/rest/rate-limit

[estenrye]

@estenrye Thank you for the feedback, you can restrict the discovery to organizations via:

cnspec scan github org mondoohq --discover organization 

@tas50 I think we should not do auto-discovery for all repos right now and make it an opt-in for users at this point. Thoughts?

I can try this workaround for now, but I think it's awfully inelegant. Why break out GitHub into multiple commands of org and repo when you have the --discover flag?

Is there a way to pass this option to the GitHub action?

[chris-rock]

@estenrye 100% agree, I propose we are going to do the following:

• update the github action to have the discover flag for org and change it https://github.com/mondoohq/actions/blob/main/github-org/action.yaml#L39-L40C7, we also want to add the option to the action to enable discovery
• cnspec need to change the default for org to not discovery repositories by default
• cnspec needs to learn about GitHub ratelimiting and handle that properly