From github-inspector
Query GitHub for compliance-relevant configuration and emit findings conforming to the v1 contract.
npx claudepluginhub rifh2000/claude-grc-engineering. --plugin github-inspector# /github-inspector:collect Scans GitHub repositories in the configured scope and emits one Finding document per repository. ## How to run ## Arguments - `--scope=<value>` — repository scope. Overrides the config default. - `@me` — all repos you own - `org:<name>` — all repos in an org you're a member of - `repo:<owner>/<name>` — single repo - `--refresh` — ignore cache; always re-query GitHub - `--output=<fmt>` — `silent` (default for CLI piping) | `summary` (one-line summary) | `json` - `--limit=<n>` — cap the number of repos scanned (useful for testing) - `--concurrency=<n>` ...
/collectCollects URLs, text notes, or file paths into PARA-classified knowledge storage. Use --search "query" to find existing collections.
/collectScans AWS for compliance issues across IAM, S3, CloudTrail, EBS; emits JSON findings with SCF checks and severities.
/collectScans GitHub repositories in a specified scope for SCF compliance controls like branch protection, secret scanning, and Dependabot, emitting JSON findings per repository.
/collectScans GCP project for compliance configs in IAM, Cloud Storage, audit logs, KMS, Compute; emits JSON findings to cache and stdout summary.
/collectScans Okta org for authentication policies, MFA enrollment, password policy, session settings, admin users, and logs. Emits schema-conformant security findings.
Scans GitHub repositories in the configured scope and emits one Finding document per repository.
node plugins/connectors/github-inspector/scripts/collect.js [options]
--scope=<value> — repository scope. Overrides the config default.
@me — all repos you ownorg:<name> — all repos in an org you're a member ofrepo:<owner>/<name> — single repo--refresh — ignore cache; always re-query GitHub--output=<fmt> — silent (default for CLI piping) | summary (one-line summary) | json--limit=<n> — cap the number of repos scanned (useful for testing)--concurrency=<n> — parallel API calls (default 4, max 8 to respect rate limits)--quiet — no stderr progressFor each repository in scope, the connector emits evaluations against SCF controls:
| SCF ID | Check | Typical severity |
|---|---|---|
CHG-02 — Configuration Change Control | Default branch has protection with required reviews | high if missing |
CHG-02.1 — Change Approval | Required status checks configured | medium |
IAO-04 — Secure Coding | CodeQL / code scanning enabled | medium |
MON-01 — Continuous Monitoring | Secret scanning enabled | high |
MON-01.4 — Dependency monitoring | Dependabot alerts enabled | medium |
TDA-01 — Third-party Risk | Outside collaborators with admin access | medium |
IAC-02 — Authentication | Deploy keys rotated and scoped read-only | medium |
GOV-05 — Governance | Repository is not archived without notice | low |
More checks land as the connector matures; see the SKILL for the authoritative list.
Writes ~/.cache/claude-grc/findings/github-inspector/<run_id>.json — one JSON file per run containing an array of Findings (one per repository).
Appends a run manifest to ~/.cache/claude-grc/runs.log.
Prints a one-line summary to stdout unless --quiet:
github-inspector: 127 resources, 512 evaluations, 38 findings (6 high, 15 medium, 17 low).
0 — success, cache written2 — auth failure (re-run /github-inspector:setup)3 — rate-limited (the connector waited but still hit the ceiling; retry later)4 — partial result (some repos unreadable; a report is still written)5 — config missing (run /github-inspector:setup first)GitHub's REST API gives you 5,000 requests/hour authenticated. The connector budgets ~5 requests per repo and reports remaining headroom in the Finding's metadata.rate_limit_remaining.
# Personal account
/github-inspector:collect --scope=@me
# Whole org
/github-inspector:collect --scope=org:acme --concurrency=6
# Single repo for testing
/github-inspector:collect --scope=repo:acme/prod-api
gh auth login --with-token < $GH_TOKEN_FILE
node plugins/connectors/github-inspector/scripts/collect.js --scope=org:acme --quiet
node plugins/grc-engineer/scripts/gap-assessment.js SOC2 --sources=github-inspector --output=sarif --quiet > gap.sarif