npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

Iโ€™ve always been into building performant and accessible sites, but lately Iโ€™ve been taking it extremely seriously. So much so that Iโ€™ve been building a tool to help me optimize and monitor the sites that I build to make sure that Iโ€™m making an attempt to offer the best experience to those who visit them. If youโ€™re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, ๐Ÿ‘‹, Iโ€™m Ryan Hefnerย  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If youโ€™re interested in other things Iโ€™m working on, follow me on Twitter or check out the open source projects Iโ€™ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soonโ€“ish.

Open Software & Tools

This site wouldnโ€™t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you ๐Ÿ™

ยฉ 2026 โ€“ย Pkg Stats / Ryan Hefner

@flemzord/github-compliance

v1.4.0

Published

๐Ÿ›ก๏ธ CLI to enforce repository compliance standards across your GitHub organization

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

flemzoordflemzoord

Keywords

githubcompliancesecuritygovernance

Readme

GitHub Compliance CLI

Command-line tool to audit and enforce repository compliance across your GitHub organization. Run targeted or organization-wide checks, generate detailed reports, and optionally remediate issues in a single workflow.

Features

  • ๐Ÿ” Automated Compliance Scanning โ€“ Evaluate repositories against a shared YAML configuration
  • ๐Ÿ”ง Auto-Fix Capabilities โ€“ Apply fixes when run without --dry-run
  • ๐Ÿ“Š Comprehensive Reporting โ€“ Output Markdown or JSON reports ready for auditing
  • ๐ŸŽฏ Flexible Rules โ€“ Target specific repositories or checks with simple flags
  • ๐Ÿš€ High Performance โ€“ Built-in API throttling and concurrent execution

Installation

Global (from npm)

npm install -g @flemzord/github-compliance

โ„น๏ธ The package is being prepared for release. Until it is published you can run the CLI locally as shown below.

From Source

npm install
npm run build
# optional: make the CLI globally available from this checkout
npm link

Or run without building by using the TypeScript entry point:

npm run cli -- --config compliance.yml --token ghp_xxx --dry-run

Usage

The CLI provides two main commands:

run - Execute compliance checks

github-compliance-cli run --config <path> --token <token> [options]

| Flag | Description | |------|-------------| | --config, -c | Path to the compliance configuration YAML file (required) | | --token, -t | GitHub personal access token (required unless GITHUB_TOKEN is set) | | --org | GitHub organization name (falls back to organization value in config) | | --dry-run, -d | Report issues without applying changes | | --repos | Comma-separated list of repository names to check | | --checks | Comma-separated list of checks to run | | --include-archived | Include archived repositories in the run | | --format | Report format (markdown or json, default markdown) | | --output, -o | Custom output file path | | --mode | Output mode (compact, detailed, or json, default compact) | | --verbose, -v | Enable verbose logging | | --quiet, -q | Suppress informational logs |

validate - Validate configuration file

github-compliance-cli validate --config <path> [options]

| Flag | Description | |------|-------------| | --config, -c | Path to the compliance configuration YAML file (required) | | --verbose, -v | Show detailed configuration summary | | --quiet, -q | Show only errors |

Examples

# Validate configuration file
github-compliance-cli validate --config compliance.yml

# Dry-run across the entire organization
github-compliance-cli run --config .github/compliance.yml --token $GITHUB_TOKEN --dry-run

# Audit only selected repositories
github-compliance-cli run -c compliance.yml -t ghp_xxx --repos "frontend,backend"

# Run specific checks with JSON output
github-compliance-cli run -c compliance.yml -t ghp_xxx \
  --checks "repo-merge-strategy,repo-security-controls" \
  --format json --output compliance-report.json

# Apply fixes (no dry-run) and include archived repositories
github-compliance-cli run -c compliance.yml -t ghp_xxx --include-archived

Available Checks

The CLI can perform the following compliance checks:

| Check ID | Description | |----------|-------------| | org-team-sync | Synchronizes organization teams against the desired configuration | | repo-merge-strategy | Validates allowed merge strategies (merge commit, squash, rebase) | | repo-branch-protection | Ensures branch protection rules are properly configured | | repo-access-teams | Manages repository team access and individual collaborators | | repo-security-controls | Verifies security features (secret scanning, Dependabot, code scanning) | | repo-archival-policy | Controls access to archived repositories | | repo-settings | Enforces repository feature toggles, visibility, and collaboration templates |

Legacy identifiers (merge-methods, team-permissions, branch-protection, security-scanning, archived-repos, team-sync, repository-settings) are still accepted and automatically mapped to the new names.

Each check can be configured in the defaults section of your configuration file and selectively applied using the --checks flag.

Configuration

๐Ÿ“š Configuration Reference โ€“ Full documentation covering every option.

IDE Integration with JSON Schema

This project provides a JSON Schema for the compliance configuration file. This enables:

  • โœจ Autocompletion in your IDE
  • โœ… Real-time validation as you type
  • ๐Ÿ“ Inline documentation for all fields

VSCode / Other YAML-aware editors

Add this comment at the top of your YAML file:

# yaml-language-server: $schema=https://raw.githubusercontent.com/flemzord/github-compliance/main/compliance-schema.json

Or for local development:

# yaml-language-server: $schema=../path/to/compliance-schema.json

IntelliJ IDEA / WebStorm

  1. Go to Settings โ†’ Languages & Frameworks โ†’ Schemas and DTDs โ†’ JSON Schema Mappings
  2. Add a new mapping:
    • Name: GitHub Compliance
    • Schema file: Point to compliance-schema.json
    • File pattern: *compliance*.yml or *compliance*.yaml

Create a configuration file (for example compliance.yml):

version: 1

defaults:
  merge_methods:
    allow_merge_commit: false
    allow_squash_merge: true
    allow_rebase_merge: false

  branch_protection:
    patterns: ["main", "master", "release/*"]
    enforce_admins: true
    required_reviews:
      dismiss_stale_reviews: true
      required_approving_review_count: 2
      require_code_owner_reviews: true
      require_last_push_approval: false
    required_status_checks:
      auto_discover: false
      strict: true
      contexts: ["ci/tests", "ci/lint"]
    restrictions:
      users: []
      teams: ["maintainers"]
    allow_force_pushes: false
    allow_deletions: false
    required_conversation_resolution: true

  security:
    secret_scanning: "enabled"
    secret_scanning_push_protection: "enabled"
    dependabot_alerts: true
    dependabot_updates: true
    code_scanning_recommended: true

  permissions:
    remove_individual_collaborators: true
    teams:
      - team: "admins"
        permission: "admin"
      - team: "engineering"
        permission: "write"

  archived_repos:
    admin_team_only: false
    archive_inactive: true
    inactive_days: 365

rules:
  - match:
      repositories: ["*-prod", "*-production"]
      only_private: true
    apply:
      branch_protection:
        patterns: ["main", "release/*"]
        required_reviews:
          required_approving_review_count: 3
        enforce_admins: true

  - match:
      repositories: ["docs-*", "*-website"]
    apply:
      merge_methods:
        allow_merge_commit: true
      permissions:
        teams:
          - team: "docs-team"
            permission: "maintain"

Reports

Two output formats are available:

  • Markdown โ€“ Human-readable summary ideal for sharing with stakeholders
  • JSON โ€“ Structured data for dashboards or additional automation

By default the CLI writes compliance-report.md (or .json when --format json is used). Supply --output to override the file name.

Development

All development commands work locally:

# Install dependencies
npm install

# Run tests
npm test

# Build the CLI
npm run build

# Execute the CLI from source
npm run cli -- --config compliance.yml --token ghp_xxx

Adding a New Compliance Check

To add a new compliance check to the project, follow these steps:

  1. Create the check class in src/checks/:

    // src/checks/your-check.ts
import { BaseCheck, type CheckContext, type CheckResult } from './base';

export class YourCheck extends BaseCheck {
  readonly name = 'your-check-name';
  readonly description = 'Description of what your check validates';

  shouldRun(context: CheckContext): boolean {
    // Determine if this check should run for the repository
    const config = this.getRepoConfig(context, 'your_config_key');
    return config !== undefined;
  }

  async check(context: CheckContext): Promise<CheckResult> {
    // Implement your validation logic
    const { repository } = context;
    const config = this.getRepoConfig(context, 'your_config_key');

    // Perform checks and return result
    if (/* check passes */) {
      return this.createCompliantResult('Check passed successfully');
    }

    return this.createNonCompliantResult('Check failed: reason');
  }

  async fix(context: CheckContext): Promise<CheckResult> {
    // Optional: Implement auto-fix logic
    if (context.dryRun) {
      return this.check(context);
    }

    // Apply fixes using context.client
    // Return result with fixed: true if successful
  }
}

  2. Register the check in src/runner/check-registry.ts:

    import { YourCheck } from '../checks/your-check';

const checkRegistry: CheckRegistry = {
  // ... existing checks
  'your-check-name': YourCheck,
};

  3. Define configuration types in src/config/types.ts:

    export interface YourCheckConfig {
  // Define your configuration structure
}

export interface ComplianceDefaults {
  // ... existing configs
  your_config_key?: YourCheckConfig;
}

  4. Update the JSON Schema in compliance-schema.json:

    • Add your check configuration to the defaults properties
    • Ensure proper validation rules are defined

  5. Add tests for your check in src/checks/__tests__/your-check.test.ts:

    import { YourCheck } from '../your-check';

describe('YourCheck', () => {
  it('should detect non-compliance', async () => {
    // Test non-compliant scenarios
  });

  it('should pass for compliant repositories', async () => {
    // Test compliant scenarios
  });

  it('should fix issues when not in dry-run mode', async () => {
    // Test fix functionality if implemented
  });
});

  6. Update documentation:

    • Add your check to the "Available Checks" table in this README
    • Include configuration examples in the sample YAML

For more details see DEVELOPMENT.md.

Made with โค๏ธ for better GitHub repository governance