steampipe plugin install github

Table: github_audit_log - Query GitHub Audit Logs using SQL

GitHub Audit Logs is a feature within GitHub that allows you to keep track of what's happening in your organization, repositories, and teams. It provides a record of actions taken by users, whether they're adding new members, changing repository settings, or deleting branches. GitHub Audit Logs helps you stay informed about the activities within your GitHub resources and take appropriate actions when needed.

Table Usage Guide

The github_audit_log table provides insights into user activity within GitHub. As a Security Analyst, explore user-specific actions through this table, including performed actions, involved repositories, and action timestamps. Utilize it to uncover information about user actions, such as repository changes, team membership alterations, and other potential security risks.

Important Notes

  • You must specify the organization column in where or join clause to query the table.
  • This table only works for organizations on an GitHub Enterprise plan.
  • This table supports optional quals. Queries with optional quals are optimised to use GitHub query filters. Optional quals are supported for the following columns:
    • action
    • actor
    • created_at
    • include
    • organization
    • phrase

Examples

List recent audit events for an organization

Explore the recent audit activities within your organization to gain insights into actions taken and by whom, which can aid in understanding behavioral patterns and identifying potential security issues.

select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
order by
created_at
limit
10;
select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
order by
created_at
limit
10;

List audit events in a specific date range

Explore which audit events occurred within your organization over a specific date range. This can help you understand the activity and changes made during that period, allowing for better tracking and management.

select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and created_at between '2022-06-27' and '2022-06-29'
order by
created_at;
select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and created_at between '2022-06-27' and '2022-06-29'
order by
created_at;

List repository creation and deletion audit events on a specific date

Explore which repository creation and deletion events occurred on a specific date within your organization. This is useful for tracking changes and maintaining a record of repository actions for potential audit or review purposes.

select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and action IN ('repo.create', 'repo.destroy')
and created_at = '2022-01-01'
order by
created_at;
select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and action IN ('repo.create', 'repo.destroy')
and created_at = '2022-01-01'
order by
created_at;

List audit events by a specific actor (user) in the last 30 days

This query is useful for tracking the activities of a particular user within your organization on Github over the past month. It helps in monitoring user behavior, identifying any unusual actions, and maintaining a safe and secure environment.

select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and actor = 'some_user'
and created_at > now() - interval '30 day'
order by
created_at;
select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and actor = 'some_user'
and created_at > datetime('now', '-30 day')
order by
created_at;

List branch protection override audit events on a specific date using a search phrase

Gain insights into the audit events that occurred on a specific date, particularly those related to branch protection overrides. This is useful for organizations that want to monitor and assess potential security risks or policy violations within their GitHub repositories.

select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org' phrase = 'action:protected_branch.policy_override created:2022-06-28'
order by
created_at;
select
id,
created_at,
actor,
action,
data
from
github_audit_log
where
organization = 'my_org'
and phrase = 'action:protected_branch.policy_override created:2022-06-28'
order by
created_at;

Schema for github_audit_log

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
actiontext=The action performed.
actortext=The GitHub user who performed the action.
actor_locationjsonbThe actor's location at the moment of the action.
created_attimestamp with time zone>, >=, <, <=, =The timestamp of the audit event.
datajsonbAdditional data relating to the audit event.
idtextThe id of the audit event.
includetext=The event types to include: web, git, all.
login_idtext=, !=, ~~, ~~*, !~~, !~~*Unique identifier for the user login.
organizationtext=The GitHub organization.
phrasetext=The search phrase for your audit events.
repotextThe GitHub repository, when the action relates to a repository.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
teamtextThe GitHub team, when the action relates to a team.
user_logintextThe GitHub user, when the action relates to a user.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- github

You can pass the configuration to the command with the --config argument:

steampipe_export_github --config '<your_config>' github_audit_log