AuditClaw GitHub: 自动化 GRC 证据收集 - Openclaw Skills-脚本在线

AI智能体脚本智能办公脚本自动化游戏脚本浏览器自动化脚本服务器脚本

AuditClaw GitHub: 自动化 GRC 证据收集 - Openclaw Skills

作者：互联网

2026-04-17

AI教程

什么是 AuditClaw GitHub 合规技能？

AuditClaw GitHub 是专为 auditclaw-grc 生态系统设计的专业配套技能。它通过对您的 GitHub 组织执行只读 API 调用，简化了为 SOC2、ISO 和 HIPAA 等安全审计收集证据的繁琐过程。通过将其集成到您的 Openclaw 技能库中，您可以自动化验证存储库设置、安全警报和组织策略，而无需手动截图或填写电子表格。

该技能通过只读访问模型优先考虑安全性，在确保您的存储库不被修改的同时，提供合规所需的忠实数据。它通过将 GitHub 元数据转换为存储在中央 GRC 数据库中的结构化证据，弥补了技术基础设施与监管要求之间的差距。

下载入口:https://github.com/openclaw/skills/tree/main/skills/mailnike/auditclaw-github

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

npx clawhub@latest install auditclaw-github

2. 手动安装

将技能文件夹复制到以下位置之一

全局模式 ~/.openclaw/skills/ 工作区 /skills/

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

请帮我使用 Clawhub 安装 auditclaw-github。如果尚未安装 Clawhub，请先安装（npm i -g clawhub）。

AuditClaw GitHub 合规技能应用场景

为 SOC2 或 ISO 27001 年度审计自动化证据收集。
监控多个存储库的分支保护规则以确保开发标准。
审计全组织的双重身份验证（2FA）强制执行和成员访问安全性。
将 Dependabot 和机密扫描警报集中到单个合规仪表板中。
验证关键项目的 CI/CD 流水线安全和 CODEOWNERS 强制执行情况。

AuditClaw GitHub 合规技能工作原理

使用通过 GITHUB_TOKEN 环境变量提供的细粒度个人访问令牌与 GitHub 进行身份验证。
执行一系列覆盖存储库保护、安全警报和组织设置的 9 项专业检查。
将原始 API 响应解析为映射到特定合规控制 ID 的结构化 JSON 结果。
将收集到的证据传输到位于本地用户目录的共享 auditclaw-grc SQLite 数据库中。
记录同步状态和错误，以提供收集过程的清晰审计追踪。

AuditClaw GitHub 合规技能配置指南

首先，确保您已安装 auditclaw-grc 技能。然后，配置您的环境：

# 安装依赖项
pip install -r scripts/requirements.txt

# 导出您的 GitHub 令牌
export GITHUB_TOKEN=your_fine_grained_token_here

运行连接测试以验证权限：

python3 scripts/github_evidence.py --test-connection

AuditClaw GitHub 合规技能数据架构与分类体系

收集的证据存储在 ~/.openclaw/grc/compliance.sqlite 中，具有以下属性：

字段	描述
source	该技能始终设置为 'github'
type	设置为 'automated' 证据
control_id	映射到 SOC2、ISO 或 HIPAA 等框架
description	安全发现的人类可读摘要
file_content	用于深度审计检查结果的完整 JSON 负载

name: auditclaw-github
description: GitHub compliance evidence collection for auditclaw-grc. 9 read-only checks covering branch protection, secret scanning, 2FA, Dependabot, deploy keys, audit logs, webhooks, CODEOWNERS, and CI/CD security.
version: 1.0.1
user-invocable: true
homepage: https://www.auditclaw.ai
source: https://github.com/avansaber/auditclaw-github
metadata: {"openclaw":{"type":"executable","install":{"pip":"scripts/requirements.txt"},"requires":{"bins":["python3"],"env":["GITHUB_TOKEN"]}}}

AuditClaw GitHub

Companion skill for auditclaw-grc. Collects compliance evidence from GitHub organizations using read-only API calls.

9 checks | Read-only token permissions | Evidence stored in shared GRC database

Security Model

Read-only access: Uses fine-grained personal access token with read-only repository and organization permissions. No write access.
Credentials: Uses GITHUB_TOKEN env var. No credentials stored by this skill.
Dependencies: PyGithub==2.8.1 (pinned)
Data flow: Check results stored as evidence in ~/.openclaw/grc/compliance.sqlite via auditclaw-grc

Prerequisites

GitHub personal access token with read-only permissions (or classic token with repo, read:org, security_events)
Set as GITHUB_TOKEN environment variable
pip install -r scripts/requirements.txt
auditclaw-grc skill installed and initialized

Commands

"Run GitHub evidence sweep": Run all checks, store results in GRC database
"Check branch protection": Verify branch protection rules
"Check secret scanning": Review secret scanning alerts
"Check Dependabot alerts": Review dependency vulnerability alerts
"Show GitHub integration health": Last sync, errors, evidence count

Usage

All evidence is stored in the shared GRC database at ~/.openclaw/grc/compliance.sqlite via the auditclaw-grc skill's db_query.py script.

To run a full evidence sweep:

python3 scripts/github_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --org my-org --all

To run specific checks:

python3 scripts/github_evidence.py --db-path ~/.openclaw/grc/compliance.sqlite --org my-org --checks branch_protection,secret_scanning

Check Categories (9)

Check	What It Verifies
branch_protection	Default branch protection rules, required reviews, status checks
secret_scanning	Secret scanning enabled, active alert count
dependabot	Dependabot alerts by severity, auto-fix PRs
two_factor	Organization-level 2FA enforcement
deploy_keys	Deploy key audit, read-only vs read-write
audit_log	Admin audit log accessibility
webhooks	Webhook security (HTTPS, secrets configured)
codeowners	CODEOWNERS file present in repositories
ci_cd	GitHub Actions security, workflow permissions

Evidence Storage

Each check produces evidence items stored with:

source: "github"
type: "automated"
control_id: Mapped to relevant SOC2/ISO/HIPAA controls
description: Human-readable finding summary
file_content: JSON details of the check result

Setup Guide

When a user asks to set up GitHub integration, guide them through these steps:

Step 1: Create Fine-Grained Personal Access Token

Direct user to: GitHub → Settings → Developer Settings → Personal Access Tokens → Fine-grained tokens

Step 2: Configure Token Permissions

Name: auditclaw-grc
Expiration: 90 days (recommended)
Resource owner: Select their organization
Repository access: All repositories (or specific repos)
Permissions (all READ-ONLY):
- Repository: Contents, Administration, Secret scanning alerts, Dependabot alerts, Code scanning alerts, Actions, Webhooks
- Organization: Members (read), Administration (read)

Classic token alternative: If fine-grained tokens unavailable, use scopes: repo, read:org, security_events

Step 3: Set Token

Set as GITHUB_TOKEN environment variable.

Step 4: Verify Connection

Run: python3 {baseDir}/scripts/github_evidence.py --test-connection

The exact permissions are documented in scripts/github-permissions.json. Show with: python3 {baseDir}/../auditclaw-grc/scripts/db_query.py --action show-policy --provider github

上一篇：EduClaw 高级排课：掌握学术课表 - Openclaw Skills 下一篇：Mersal：主权 AI 智能与社交互动 - Openclaw Skills