How to: Secrets Mapping on GitHub
This script and report extract all secrets (organization, repositories and environments) within the GitHub organization
Many customers on GitHub use secrets to store sensitive information in your organization, repository, or repository environments to use in GitHub Actions workflows. Thinking about it, this report maps all secrets between these three levels (organization, repositories and environments) and presents them below.
An original script is available on my GitHub repository. See below this script:
Let’s go understand each command used.
- PowerShell script will receive the following parameters:
- $PAT = Personal Access token to connect on GitHub organization;
- $Organization = GitHub Organization name;
- $Connstr = connection string to Azure SQL Database that stores the report information. To create this report, it’s necessary to create previously a Azure SQL Server and Database and run a script below:
2. Get organization = use this REST API to get organization id through the organization name parameter
$UriOrganization = "https://api.github.com/orgs/$($organization)"$OrganizationResult = Invoke-RestMethod -Headers $headers -Uri $UriOrganizationWrite-Host $OrganizationResult.id
3. List organization secrets = use this REST API to list all secrets available in an organization
$uriOrganizationSecrets = "$($UriOrganization)/actions/secrets"$OrganizationSecretsResult = Invoke-RestMethod -Headers $headers -Uri $uriOrganizationSecretsforeach ($orgSecret in $OrganizationSecretsResult.secrets)
{
Write-Host $orgSecret.name
}
4. List organization repositories = use this REST API to list repositories for the specified organization
$uriRepositories = "$($UriOrganization)/repos"$RepositoriesResult = Invoke-RestMethod -Headers $headers -Uri $uriRepositoriesforeach ($repo in $RepositoriesResult)
{
Write-Host $repo.name
}
5. List repositories secrets = use this REST API to list all secrets available on each repository
$uriRepositoriesSecrets = "$($UriRepositoriesOwner)/$($repo.name)/actions/secrets" $RepositoriesSecretsResult = Invoke-RestMethod -Headers $headers -Uri $uriRepositoriesSecrets foreach ($repoSecret in $RepositoriesSecretsResult.secrets)
{
Write-Host $repoSecret.name
}
6. List repositories environments = use this REST API to list all environments on each repository
$uriRepositoriesEnvironments = "$($UriRepositoriesOwner)/$($repo.name)/environments" $RepositoriesEnvironmentsResult = Invoke-RestMethod -Headers $headers -Uri $uriRepositoriesEnvironments foreach ($repoenvironment in $RepositoriesEnvironmentsResult.environments)
{
Write-Host $repoenvironment.name
}
7. List environment secrets = use this REST API to list all secrets available in an environment
$uriRepositoriesEnvironmentsSecrets = "https://api.github.com/repositories/$($repo.id)/environments/$($repoenvironment.name)/secrets" $RepositoriesEnvironmentsSecrets = Invoke-RestMethod -Headers $headers -Uri $uriRepositoriesEnvironmentsSecrets foreach ($repoenvironmentsecret in $RepositoriesEnvironmentsSecrets.secrets)
{
Write-Host $repoenvironmentsecret.name
}
8. After extracting all secrets (organization, repositories and environments), this information is stored in a table in Azure SQL.
9. After inserting information into a table, I connected this database on Power BI:
- Repositories (1) = Filter report using Repositories field;
- Environments (2) = Filter report using Environments field;
- Secrets Name (3) = Filter report using Secret name field;
- Organization Secrets (4) = list all organization secrets;
- Repositories Secrets (5) = List all information about repositories and secrets. If the respective secret is mapped on a repository, the same will be marked (green ticks on a grid);
- Repositories Environments Secrets (5) = List all information about repositories, environments and secrets. If the respective secret is mapped on a repository and environment, the same will be marked (green ticks on a grid).