microsoft/ghqr
Go
Captured source
source ↗microsoft/ghqr
Description: GitHub Quick Review: Evaluate your enterprise and organizations against GitHub best practices
Language: Go
License: MIT
Stars: 495
Forks: 29
Open issues: 3
Created: 2026-02-20T10:02:18Z
Pushed: 2026-06-08T08:15:06Z
Default branch: main
Fork: no
Archived: no
README:  
GitHub Quick Review
GitHub Quick Review (ghqr) is a powerful command-line interface (CLI) tool that analyzes GitHub enterprises, organizations, and repositories to ensure compliance with GitHub best practices and security recommendations. Its main objective is to offer users a comprehensive assessment of their GitHub resources, allowing them to easily identify security gaps, misconfigured settings, and areas for improvement.
What ghqr Checks
GitHub Quick Review (ghqr) evaluates your GitHub resources across the following areas:
GitHub Enterprise Cloud / Organizations / Repositories
| Area | Scope | Examples | |------|-------|---------| | Security | Org, Repo | Dependabot alerts, secret scanning, code scanning, GHAS | | Access Control | Org, Repo | 2FA enforcement, member privileges, SAML SSO, CODEOWNERS | | Branch Protection | Repo | Required reviews, status checks, admin enforcement | | Copilot | Org | Seat usage, content exclusions, policy configuration, MCP settings | | Governance | Org | IP allow lists, repository creation policies, fork policies | | Audit Log | Enterprise, Org | Audit log streaming, suspicious event detection | | Community | Repo | Contributing guide, issue templates, code of conduct | | Actions | Org, Repo | Workflow permissions, allowed actions, self-hosted runners | | Dependencies | Repo | Dependabot version updates, security updates | | Metadata | Repo | Description, topics, visibility, archival status |
GitHub Enterprise Server (GHES)
| Area | Examples | |------|---------| | Server Configuration | Version currency, subdomain isolation, TLS, private mode | | Authentication | Auth mode (SAML/LDAP/CAS), open signup, password authentication | | License | Seat utilization, license expiration warnings | | Security | GHAS enablement, secret scanning, push protection, code scanning | | Dependencies | Dependabot alerts and security updates enablement | | Actions | GitHub Actions enablement, self-hosted runner security | | Audit Log | Suspicious event detection, log forwarding, staff impersonation | | Infrastructure | Admin SSH access, site admin count, backup-utils, HA replicas | | Admin Stats | User/org/repo counts, suspended user ratio, disabled orgs |
Scan Results
The output generated by GitHub Quick Review (ghqr) includes:
- Recommendations: Prioritized findings with severity and category
- Organizations: Summary of all scanned organizations and their posture
- Repositories: Per-repository findings with branch protection, security features, and access settings
- Issues Sheet: All findings with recommendations and links to documentation
Outputs are available in Markdown (.md), Excel (.xlsx) (default) and JSON formats.
Installation
Create a folder for installing the ghqr binary.
Linux / macOS
bash -c "$(curl -fsSL https://raw.githubusercontent.com/microsoft/ghqr/main/scripts/install.sh)"
Or download the latest release from the releases page.
Windows
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/microsoft/ghqr/main/scripts/install.ps1'))Or download the latest release from the releases page.
Docker
docker pull ghcr.io/microsoft/ghqr:latest
Build from Source
git clone https://github.com/microsoft/ghqr.git cd ghqr make
Quick Start Linux / macOS
# 1. Set your GitHub token export GITHUB_TOKEN= # 2. Scan an organization ghqr scan -o my-org # 3. Scan a GitHub Enterprise (Cloud) ghqr scan -e my-enterprise # 4. Scan a GitHub Enterprise Server (GHES) instance export GH_TOKEN= ghqr scan --ghes ghes.example.com
Quick Start Windows
# 1. Set your GitHub token $env:GITHUB_TOKEN="" # 2. Scan an organization .\ghqr scan -o my-org # 3. Scan a GitHub Enterprise (Cloud) .\ghqr scan -e my-enterprise # 4. Scan a GitHub Enterprise Server (GHES) instance $env:GH_TOKEN="" .\ghqr scan --ghes ghes.example.com
Usage
Authentication
GitHub Quick Review (ghqr) supports the following authentication methods:
- Personal Access Token (PAT): Set the
GITHUB_TOKENenvironment variable
Required Token Scopes (GitHub.com)
| Scope | Purpose | |-------|---------| | read:org | Read organization settings and members | | read:enterprise | Read enterprise settings | | repo | Read repository settings, branch protection, and security features | | read:audit_log | Read audit log configuration | | read:user | Read user information | | copilot | Read Copilot seat and policy information |
Required Token Scopes (GHES)
For GitHub Enterprise Server scanning, create a PAT on your GHES instance with these scopes:
| Scope | Purpose | |-------|---------| | site_admin | Read server settings, license, admin stats, and audit log | | read:org | Read organization settings and members | | repo | Read repository settings and security features | | read:audit_log | Read audit log events |
The GHES token is read from GH_TOKEN or GITHUB_TOKEN (in that order). Tokens without site_admin produce a degraded scan: license, admin stats, audit log, and management settings are reported as unavailable rather than treated as misconfigured.
GitHub Enterprise Cloud with Data Residency (GHE.com)
If your organization uses GitHub Enterprise Cloud with data residency, your API endpoints are on a…
Excerpt shown — open the source for the full document.
Notability
notability 6.0/10New repo from Microsoft, moderate stars
Microsoft has a repo signal matching evals and quality, product and customer.