GitArmor now features an enhanced CLI output that provides better visibility into security gaps and suggested configurations. The new output format includes:
- Color-coded results (green for PASSED, red for FAILED, yellow for SKIPPED)
- Direct links to GitHub security documentation
- Threat model references for failed checks
- Links to SLSA.dev threat model
- Links to MS DevOps Threat Matrix
Created a comprehensive metadata mapping system that links each check type to:
- GitHub Documentation: Official GitHub docs for best practices
- Threat Model Section: Reference to specific threats in
repository.threats.mdororganization.threats.md - SLSA.dev Threats: Links to SLSA (Supply-chain Levels for Software Artifacts) threat model
- MS DevOps Threat Matrix: Links to Microsoft's DevOps security threat matrix
- Branch Protection
- Branch Protection - Pull Request Settings
- Files Exist Check
- Files Disallow Check
- GHAS Checks
- Actions Check
- Workflows Default Permissions Check
- Workflows Access Permissions Check
- Runners Check
- WebHooks Check
- Admins Check
- Members Privileges Check
- Org GHAS Checks
- Org Authentication Checks
- Org Custom Roles Checks
- Org Actions Checks
Created formatting utilities that:
- Use chalk for colored terminal output
- Display check results with clear PASSED/FAILED/SKIPPED status
- Show GitHub documentation links for all checks
- Display threat model references for failed checks only
- Include SLSA.dev and MS DevOps Threat Matrix links for failed checks
- Format JSON data with proper indentation
RepoPolicyEvaluator (src/evaluators/RepoPolicyEvaluator.ts):
- Now uses
printEnhancedCheckResult()instead of basic logger output - Displays repository-specific metadata
OrgPolicyEvaluator (src/evaluators/OrgPolicyEvaluator.ts):
- Now uses
printEnhancedCheckResult()instead of basic logger output - Displays organization-specific metadata
Updated the output section to highlight the enhanced formatting features.
------------------------------------------------------------------------
Repository policy results - dcodx/gitarmor:
------------------------------------------------------------------------
[❌] Check: Files Disallow Check - Pass: false
{"foundDisallowedFiles":[".env","config.xml"],"gitignoreExists":true,"missingInGitignore":[".env"]}
══════════════════════════════════════════════════════════════════════════════
Repository Policy Results - dcodx/gitarmor
══════════════════════════════════════════════════════════════════════════════
❌ FAILED - Files Disallow Check
📘 GitHub Docs: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
⚠️ Threat Model: See "Sensitive files committed to the repository" in repository.threats.md
🔗 SLSA.dev Threats:
- https://slsa.dev/spec/v1.0/threats#e-compromise-source-repo
🔗 MS DevOps Threat Matrix:
- https://www.microsoft.com/en-us/security/blog/2023/04/06/devops-threat-matrix/
Data: {
"foundDisallowedFiles": [".env", "config.xml"],
"gitignoreExists": true,
"missingInGitignore": [".env"]
}
- Better Visibility: Clear visual distinction between passed and failed checks
- Actionable Guidance: Direct links to official documentation for remediation
- Threat Context: Understanding the security implications of failed checks
- Compliance Mapping: Links to industry-standard security frameworks (SLSA, DevOps Threat Matrix)
- Improved UX: More professional and user-friendly output
Potential improvements could include:
- Progress bars during check execution
- Summary statistics at the end
- Grouped output by severity level
- Export to different formats (HTML, PDF)
- Interactive mode for drill-down into specific checks