Lambda to report on github usage stats from pre-commit hook invocations
The lambda can be invoked with different actions (declared in the payload).
Most of the actions are internal secondary actions invoked by the audit action via SNS. There are 2 primary actions:
- usage
- audit
These are triggered by cron lambda triggers defined in the terraform.
When someone runs the install script for detect secrets:
- They authenticate with Github
- A message gets sent to the alert_processor endpoint
- It records their username in SSM with a random generated token string
- It passes the token back and saves it in the github global config.
The usage lambda runs daily on a cron:
- Checks the membership of alphagov
- Checks the list of users in SSM
- Removes anyone from SSM who's no longer in alphagov
- Reports the number of registered users of detect secrets as a percentage of the alphagov membership.
The random token was intended to be used on another pre-commit hook so we could record when a user commits with detect secrets enabled. So for detect secrets we'd have 3 metrics:
- % of alphagov members
- % of (active) repos with a .secrets.baseline
- % of commits protected by pre-commit
The aim if the audit is to capture the membership and access of
github accounts to a github organisation. It looks at membership
of the organisation, membership of teams within the
organisation and then at access to repositories within
the organisation both as contributors and via
membership of teams.
The audit is run on a schedule. The audit can also be kicked off manually by an event
{"action":"audit"}
Which calls the audit.start function.
From there the lambda is repeatedly triggered by SNS publish/subscribe until all the audit actions have completed.
audit.start
log_org_membership
log_org_teams
log_org_team_membership
for each teamlog_org_team_repos
for each teamlog_org_repo_team_members
for each team repo
log_org_repos
log_org_repo_contributors
for each repo