This repo contains tools and tracks policy violations.
For details on policies, see the docs.
For the dotnet
org, the policies are evaluated daily and violations are posted
in the internal repo org-policy-violations. The repo is internal because it
contains names of private repos and teams.
You can run the tool locally by cloning this repo and running policop.cmd
from
the root.
Before you can do anything useful, you need to get access to the org data, which includes repos, teams, users and their relationships. This also includes access to linking information between Microsoft user accounts and GitHub user accounts.
Due to performance and API rate limitations it's not practical to query this information from GitHub when you're experimenting and trying to analyze the org. So instead, you can download a cached version of the org that was computed and uploaded to a private Azure DevOps project during the nightly policy runs.
You do this by running:
$ .\policop cache-build
This will download the latest version of the org data and store it on your local machine. If you run this command for the first time, it will take you to a website where you'll need to create an access token that the tool will then store and use on future calls.
You can check how old your local cache is by running
$ .\policop cache-info
You can also clear the cache with
$ .\policop cache-clear -f
In order to check policies, you simply use this command:
$ .\policop check --excel
This will compute all policy violations and display the result in Excel. You can also write them to a file if you prefer that:
$ .\policop check -o D:\temp\test.csv
The primary command is policop list
which you can use to query information
from the org.
Using -r
, -t
, and -u
you can list all components of the org:
-r
the list of repos-t
the list of teams-u
the list of users-r -t
the list of repos and permissions teams are given-r -u
the list of repos and permissions users are given-t -u
the list of teams and their members-r -t -u
the list of repos and permissions teams & users are given
Each of those options accept a list of terms you can use to filter,
with basic wild card support, such as *core*
or dotnet*
.
So to list all teams whose name contains the text core
you'd do this:
$ .\policop list -t *core*
To find all members of all teams named *core*
you'd do this:
# List team members of teams whose name contains "core"
$ .\policop list -t *core* -u
Using -f
you can also filter:
# List all repos whose name contains dotnet and where a team
# grants admin access
$ .\policop list -r *dotnet* -t -f rt:permission=admin
For columns returning Yes
/No
you can also use the simple
version:
# List all private repos
$ .\policop list -r -f r:private
And lastly, using -c
you can create custom reports with specific columns:
# List all private repos and show their name, description and list of admins
$ .\policop list -r -f r:private -c r:name r:description r:admins
The available columns can be listed by running
$ .\policop list-columns
The naming convention indicates when the columns can be used:
r:*
when repos are includedt:*
when teams are includedu:*
when users are includedrt:*
when repos and teams are includedru:*
when repos and users are includedtu:*
when teams and users are includedrtu:*
when repos, teams, and users are included
In general, policop list
will print the results to the console but with -o
you can write to a file and with --excel
you can send it straight into Excel.