GitHub Quick Review (ghqr) is a powerful command-line interface (CLI) tool that analyzes GitHub enterprises, organizations, and repositories to ensure compliance with GitHub best practices and security recommendations. Its main objective is to offer users a comprehensive assessment of their GitHub security posture, allowing them to easily identify security gaps, misconfigured settings, and areas for improvement.
What ghqr Checks
GitHub Enterprise Cloud / Organizations / Repositories
| Area | Scope | Examples |
|---|---|---|
| Security | Org, Repo | Dependabot alerts, secret scanning, code scanning, GHAS |
| Access Control | Org, Repo | 2FA enforcement, member privileges, SAML SSO, CODEOWNERS |
| Branch Protection | Repo | Required reviews, status checks, admin enforcement |
| Copilot | Org | Seat usage, content exclusions, policy configuration, MCP settings |
| Governance | Org | IP allow lists, repository creation policies, fork policies |
| Audit Log | Enterprise, Org | Audit log streaming, suspicious event detection |
| Community | Repo | Contributing guide, issue templates, code of conduct |
| Actions | Org, Repo | Workflow permissions, allowed actions, self-hosted runners |
| Dependencies | Repo | Dependabot version updates, security updates |
| Metadata | Repo | Description, topics, visibility, archival status |
GitHub Enterprise Server (GHES)
| Area | Examples |
|---|---|
| Server Configuration | Version currency, subdomain isolation, TLS, private mode |
| Authentication | Auth mode (SAML/LDAP/CAS), open signup, password authentication |
| License | Seat utilization, license expiration warnings |
| Security | GHAS enablement, secret scanning, push protection, code scanning |
| Dependencies | Dependabot alerts and security updates enablement |
| Actions | GitHub Actions enablement, self-hosted runner security |
| Audit Log | Suspicious event detection, log forwarding, staff impersonation |
| Infrastructure | Admin SSH access, site admin count, backup-utils, HA replicas |
| Admin Stats | User/org/repo counts, suspended user ratio, disabled orgs |
Scan Results
The output generated by GitHub Quick Review (ghqr) includes the following sheets when using the default Excel format:
- Recommendations: Prioritized findings with severity and category
- Organizations: Summary of all scanned organizations and their posture
- Repositories: Per-repository findings with branch protection, security features, and access settings
- Issues: All findings with recommendations and links to documentation
Output Formats
GitHub Quick Review (ghqr) supports three output formats:
- Excel (.xlsx) (default): Multi-sheet workbook with all findings, summaries, and links
- Markdown (.md): Text-based report suitable for inclusion in wikis or pull requests
- JSON: Machine-readable output suitable for integration with other tools or pipelines
Recommendation Severity Levels
Each recommendation is assigned one of the following severity levels:
| Severity | Description |
|---|---|
| critical | Immediate risk of compromise or data loss; remediate without delay |
| high | Significant security gap that should be addressed promptly |
| medium | Security control that reduces risk when implemented |
| low | Improvement that provides defense-in-depth or best-practice alignment |
| info | Observation or informational finding requiring no immediate action |
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct.
Trademark Notice
Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship.