GitHub Quick Review (ghqr) is a CLI tool designed to assess GitHub enterprises, organizations, and repositories against best practices and security recommendations. It helps users identify security gaps, misconfigurations, and areas for improvement, providing a comprehensive overview of their GitHub resource posture. This tool is valuable for engineers, security teams, and administrators managing GitHub environments.

How It Works

ghqr systematically evaluates GitHub resources across Security, Access Control, Branch Protection, Copilot, Governance, Audit Log, Community, Actions, Dependencies, and Metadata. It employs a data-driven approach, leveraging GitHub API access to gather detailed information. The tool then synthesizes findings into actionable recommendations, categorized by severity and type, facilitating targeted remediation efforts.

Quick Start & Requirements

• Installation: Via bash script (Linux/macOS), PowerShell (Windows), Docker (docker pull ghcr.io/microsoft/ghqr:latest), or building from source.
• Prerequisites: A GitHub Personal Access Token (PAT) with specific scopes (read:org, repo, read:enterprise, read:audit_log, read:user, copilot). Go 1.26.x+ is required for building from source.
• Authentication: Set the GITHUB_TOKEN environment variable. For GitHub Enterprise Cloud with Data Residency, use the --hostname flag or GH_HOST environment variable.
• Quick Start: export GITHUB_TOKEN=<your-token>, then ghqr scan -o <your-org> or ghqr scan -e <your-enterprise>.

Highlighted Details

• Supports output formats including Markdown (.md), Excel (.xlsx - default), and JSON.
• Features an integrated MCP (Model Context Protocol) server for AI assistant interaction, with VS Code configuration examples provided.
• Automatically handles GitHub API rate limiting using exponential backoff for large-scale scans.

Maintenance & Community

• Support: Bugs and feature requests are tracked via GitHub Issues. Questions and discussions are hosted on GitHub Discussions.
• Code of Conduct: Adheres to the Microsoft Open Source Code of Conduct.

Licensing & Compatibility

• License: The provided README does not explicitly state the software license.
• Compatibility: No specific compatibility notes are mentioned beyond standard GitHub API interactions.

Limitations & Caveats

Authentication errors (401/403) may occur if the PAT is invalid, missing scopes, or not authorized for enterprise SSO. Building from source requires Go 1.26.x or higher. The absence of a stated license may pose adoption risks for commercial or sensitive environments.