← Back to Skills Marketplace
1.
2.
3.
branch-protection-auditor
by
charlie-morrison
· GitHub ↗
· v1.0.0
· MIT-0
27
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install branch-protection-auditor
Description
Audit GitHub/GitLab branch protection rules across repositories. Check required reviews, status checks, force push restrictions, admin bypass, and CODEOWNERS...
README (SKILL.md)
Branch Protection Auditor
Audit branch protection rules across your GitHub or GitLab repos. Find repos with no protection on main, missing required reviews, disabled status checks, admin bypass enabled, and missing CODEOWNERS — then generate recommended rulesets to fix the gaps.
Use when: "audit branch protection", "are our repos protected", "who can push to main", "review requirements", "security audit repos", "branch rules", "CODEOWNERS check", or before compliance audits.
Commands
1. audit — Scan All Repos
Step 1: List Repositories
# GitHub — list org repos
gh api "orgs/$ORG/repos?per_page=100&type=all" --paginate | \
python3 -c "
import json, sys
repos = json.load(sys.stdin)
for r in repos:
if not r['archived']:
print(f'{r[\"full_name\"]} {r[\"default_branch\"]} {r[\"private\"]}')
"
# Or list user repos
gh repo list --json nameWithOwner,defaultBranchRef --limit 100
Step 2: Check Protection Rules
# For each repo, check branch protection
gh api "repos/$REPO/branches/$DEFAULT_BRANCH/protection" 2>/dev/null | python3 -c "
import json, sys
try:
p = json.load(sys.stdin)
checks = {
'required_reviews': p.get('required_pull_request_reviews') is not None,
'min_reviewers': p.get('required_pull_request_reviews', {}).get('required_approving_review_count', 0),
'dismiss_stale': p.get('required_pull_request_reviews', {}).get('dismiss_stale_reviews', False),
'require_code_owner': p.get('required_pull_request_reviews', {}).get('require_code_owner_reviews', False),
'status_checks': p.get('required_status_checks') is not None,
'strict_checks': p.get('required_status_checks', {}).get('strict', False),
'enforce_admins': p.get('enforce_admins', {}).get('enabled', False),
'force_push': not p.get('allow_force_pushes', {}).get('enabled', True),
'deletions': not p.get('allow_deletions', {}).get('enabled', True),
'linear_history': p.get('required_linear_history', {}).get('enabled', False),
'signed_commits': p.get('required_signatures', {}).get('enabled', False),
}
for k, v in checks.items():
status = '✅' if v else '❌'
print(f' {status} {k}: {v}')
except:
print(' ❌ NO PROTECTION RULES')
"
Step 3: Check CODEOWNERS
# Check if CODEOWNERS exists
for path in ".github/CODEOWNERS" "CODEOWNERS" "docs/CODEOWNERS"; do
if gh api "repos/$REPO/contents/$path" --silent 2>/dev/null; then
echo "✅ CODEOWNERS found at $path"
break
fi
done || echo "❌ No CODEOWNERS file"
Step 4: Generate Report
# Branch Protection Audit — [Org Name]
## Summary
- Repos scanned: 45
- Protected: 32 (71%)
- Unprotected: 13 (29%) 🔴
- Fully compliant: 18 (40%)
## Unprotected Repos (Critical)
| Repo | Default Branch | Public? | Last Commit | Risk |
|------|---------------|---------|-------------|------|
| api-service | main | No | 2 days ago | 🔴 Active, unprotected |
| legacy-app | master | No | 1 year ago | 🟡 Inactive |
| docs-site | main | Yes | 1 week ago | 🔴 Public, unprotected |
## Protection Gaps (Protected but incomplete)
| Repo | Reviews | Status Checks | Admin Enforce | Force Push Block | CODEOWNERS |
|------|---------|--------------|---------------|-----------------|------------|
| web-app | ✅ 2 | ✅ | ❌ | ✅ | ❌ |
| mobile-api | ✅ 1 | ❌ | ❌ | ✅ | ✅ |
| data-pipeline | ✅ 1 | ✅ | ✅ | ❌ | ❌ |
## Recommendations
1. Enable protection on 13 unprotected repos (script provided)
2. Require min 2 reviewers on all repos (currently 8 repos have 1)
3. Enable admin enforcement on 24 repos (admins can bypass)
4. Add CODEOWNERS to 27 repos
5. Block force push on 5 repos that allow it
2. fix — Apply Recommended Protection Rules
Generate a script to apply branch protection:
# Apply protection to a repo
gh api -X PUT "repos/$REPO/branches/main/protection" \
-f required_pull_request_reviews='{"required_approving_review_count":2,"dismiss_stale_reviews":true,"require_code_owner_reviews":true}' \
-f required_status_checks='{"strict":true,"contexts":["ci/test","ci/lint"]}' \
-f enforce_admins=true \
-f restrictions=null \
-F allow_force_pushes=false \
-F allow_deletions=false
3. compliance — Map to Security Frameworks
Generate compliance evidence for:
- SOC 2: CC6.1 (access controls), CC8.1 (change management)
- ISO 27001: A.12.1.2 (change management)
- NIST: CM-3 (configuration change control)
- PCI-DSS: 6.4 (change control procedures)
Usage Guidance
This skill performs read and (optionally) write operations against GitHub repositories but the metadata omits critical details and claims GitLab support that is not implemented. Before installing or running it: 1) Verify you have the GitHub CLI ('gh') and python3 on the system — the SKILL.md expects them. 2) Understand authentication: 'gh' must be authenticated (or a CI GITHUB_TOKEN provided) and the token must have appropriate scopes; the 'fix' command requires elevated repo/org privileges. 3) Treat 'fix' as potentially destructive — run the 'audit' flow only first, review generated scripts, and test in a non-production org or a single repo. 4) Ask the publisher to correct the metadata: declare required binaries and required credentials, remove or implement GitLab support, and add safe defaults (dry-run, explicit confirmation, least-privilege guidance). 5) If you do not want an agent to make changes autonomously, disable model invocation for this skill or require manual confirmation before running 'fix'.
Capability Analysis
Type: OpenClaw Skill
Name: branch-protection-auditor
Version: 1.0.0
The branch-protection-auditor skill is a legitimate security tool designed to audit and manage GitHub/GitLab repository settings. It uses standard GitHub CLI (gh) commands and inline Python scripts in SKILL.md to parse JSON responses and generate reports. There is no evidence of data exfiltration, malicious execution, or prompt injection; the logic is transparent and strictly aligned with its stated purpose of improving repository security posture.
Capability Assessment
Purpose & Capability
The description claims GitHub/GitLab support, but every runtime command in SKILL.md uses the GitHub CLI and GitHub API only; there are no GitLab commands. The metadata lists no required binaries, yet the instructions depend on 'gh' and 'python3'. This mismatch between claimed purpose and actual capabilities is unexplained.
Instruction Scope
Instructions are narrowly scoped to listing repos, querying branch protection, checking CODEOWNERS, and applying protection rules via the GitHub API — they do not attempt to read unrelated system files or environment variables. However the 'fix' flow issues PUT requests that will change repository protections and therefore requires elevated repository/org privileges; the SKILL.md does not include safety controls (dry-run by default, confirmation, or scoping).
Install Mechanism
This is an instruction-only skill (no install spec), which is lower risk. But it implicitly requires external binaries ('gh', 'python3') and authenticated GitHub access which are not declared in the metadata.
Credentials
The skill declares no required environment variables or primary credential, yet the commands will only work with authenticated GitHub access and, for the 'fix' command, a token with repo/admin-level write permissions. The absence of declared credential requirements is disproportionate and could surprise users about what secrets or auth are needed.
Persistence & Privilege
always is false (good). The skill could be invoked autonomously (default), and if invoked it can apply destructive changes (branch protection updates). Combining autonomous invocation with the undocumented requirement for high-privilege GitHub credentials increases risk unless users explicitly control invocation and tokens.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install branch-protection-auditor - After installation, invoke the skill by name or use
/branch-protection-auditor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of branch-protection-auditor:
- Audit GitHub/GitLab branch protection rules across repositories.
- Detect missing protections such as required reviews, status checks, and CODEOWNERS.
- Generate detailed gap analysis and summary reports with compliance mapping.
- Recommend and script fixes for common protection weaknesses.
- Reference for SOC 2, ISO 27001, NIST, and PCI-DSS compliance.
Metadata
Frequently Asked Questions
What is branch-protection-auditor?
Audit GitHub/GitLab branch protection rules across repositories. Check required reviews, status checks, force push restrictions, admin bypass, and CODEOWNERS... It is an AI Agent Skill for Claude Code / OpenClaw, with 27 downloads so far.
How do I install branch-protection-auditor?
Run "/install branch-protection-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is branch-protection-auditor free?
Yes, branch-protection-auditor is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does branch-protection-auditor support?
branch-protection-auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created branch-protection-auditor?
It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.
More Skills