[{"data":1,"prerenderedAt":1053},["ShallowReactive",2],{"content-/github-security-audit-prep":3,"all-pages-for-dir":1051,"og-image-/github-security-audit-prep":1052},{"id":4,"title":5,"body":6,"category":1031,"description":1032,"extension":1033,"meta":1034,"navigation":729,"ogImage":1035,"path":1036,"project_name":1037,"published":1038,"publishedAt":1039,"seo":1040,"stem":1041,"tags":1042,"todo":1049,"unpublished":1038,"updatedAt":1035,"__hash__":1050},"pages/2026-05/2026-05-02/github-security-audit-prep.md","GitHub 158リポを棚卸し、Dependabot・Push Protection・Secret Scanningの現状把握から明日のTODOへ",{"type":7,"value":8,"toc":1011},"minimark",[9,13,17,20,23,27,30,62,65,69,72,117,120,153,156,160,167,257,264,268,275,278,282,285,389,392,395,400,411,504,508,521,571,581,584,588,591,607,613,617,620,624,627,665,668,672,675,679,682,686,692,759,762,784,788,1004,1007],[10,11,12],"h2",{"id":12},"きっかけ",[14,15,16],"p",{},"午前中に同じ日付で書いた姉妹記事で、「ある会計ソフトAの GitHub ソースコード流出事件」を読んで自分のリポジトリにどう落とし込むかを整理した。網羅的に対策を並べはしたものの、肝心の「今、自分のアカウントで何が有効になっていて、何が抜けているのか」が分からない。",[14,18,19],{},"棚卸しせずに対策リストだけ作っても、同じことを来月もう一度やる気がした。だから午後はひたすら現状把握に振った。",[14,21,22],{},"最終的にこのメモは「明日のTODO」になる。読み返した自分が、Plan A/B/Cの3択からチェックボックスを1つ埋めて、コマンドをコピペするだけで動ける形を目指している。",[10,24,26],{"id":25},"push-protectionとsecret-scanningとgitleaksの違いを整理","Push ProtectionとSecret Scanningとgitleaksの違いを整理",[14,28,29],{},"最初にユーザー（自分）に説明する形で言葉を整理した。3つともシークレット検知系だが、配置場所がまったく違う。",[31,32,33,46,56],"ul",{},[34,35,36,40,41,45],"li",{},[37,38,39],"strong",{},"gitleaks",": 手元のファイルを正規表現で舐めるスキャナ。pre-commit hook で ",[42,43,44],"code",{},"git commit"," を止める「家の中の煙感知器」。",[34,47,48,51,52,55],{},[37,49,50],{},"Push Protection",": GitHubサーバー側で ",[42,53,54],{},"git push"," を物理的に拒否する「玄関の関所」。検知済みパターンに合致する文字列を含む push をリモートが弾く。",[34,57,58,61],{},[37,59,60],{},"Secret Scanning",": pushされた後（または既存履歴）にGitHubが定期的にスキャンしてアラートを上げる「監視カメラ」。",[14,63,64],{},"この3つは排他ではなく多層防御として重ねる前提で、関所（Push Protection）を一番手前に置くと費用対効果が高い、という話に落ちた。",[10,66,68],{"id":67},"eurekapu-nuxt4-のセキュリティ設定状況を-gh-cli-で覗く","eurekapu-nuxt4 のセキュリティ設定状況を gh CLI で覗く",[14,70,71],{},"まず一番大事な eurekapu-nuxt4（私的な本番リポジトリ、private）から見た。",[73,74,79],"pre",{"className":75,"code":76,"language":77,"meta":78,"style":78},"language-bash shiki shiki-themes vitesse-light vitesse-light","gh api repos/keikomatsu/eurekapu-nuxt4 \\\n  --jq '{private, has_vulnerability_alerts: .has_vulnerability_alerts, security_and_analysis}'\n","bash","",[42,80,81,101],{"__ignoreMap":78},[82,83,86,90,94,97],"span",{"class":84,"line":85},"line",1,[82,87,89],{"class":88},"senZ8","gh",[82,91,93],{"class":92},"sdGka"," api",[82,95,96],{"class":92}," repos/keikomatsu/eurekapu-nuxt4",[82,98,100],{"class":99},"snbK4"," \\\n",[82,102,104,107,111,114],{"class":84,"line":103},2,[82,105,106],{"class":99},"  --jq",[82,108,110],{"class":109},"sMJiu"," '",[82,112,113],{"class":92},"{private, has_vulnerability_alerts: .has_vulnerability_alerts, security_and_analysis}",[82,115,116],{"class":109},"'\n",[14,118,119],{},"返ってきた結果で分かったこと:",[31,121,122,129,135],{},[34,123,124,125,128],{},"private リポなので ",[37,126,127],{},"Branch Protection は GitHub Free Plan の制約で利用不可","（有料プラン必須）。これは諦める枠。",[34,130,131,134],{},[37,132,133],{},"Dependabot Security Updates は有効","。これは過去の自分が偉い。",[34,136,137,140,141,144,145,148,149,152],{},[37,138,139],{},"Secret Scanning と Push Protection の状態","は ",[42,142,143],{},"security_and_analysis"," フィールドで取れるはずだが、自分のトークンに ",[42,146,147],{},"security_events"," スコープが足りずに ",[42,150,151],{},"null"," で返ってきた。",[14,154,155],{},"スコープ不足については別途PATを発行する必要があると気付いたので、いったん「未確認」マークだけ立てて先に進んだ。",[10,157,159],{"id":158},"code-security-設定画面の各項目を意味で整理","Code security 設定画面の各項目を意味で整理",[14,161,162,163,166],{},"GitHub の ",[42,164,165],{},"Settings > Code security"," の各項目を、用語を曖昧にしたまま放置していたので一通り言語化した。",[168,169,170,186],"table",{},[171,172,173],"thead",{},[174,175,176,180,183],"tr",{},[177,178,179],"th",{},"項目",[177,181,182],{},"役割",[177,184,185],{},"プラン制約",[187,188,189,201,211,225,236,246],"tbody",{},[174,190,191,195,198],{},[192,193,194],"td",{},"Dependabot alerts",[192,196,197],{},"依存ライブラリの脆弱性を通知",[192,199,200],{},"Free個人OK",[174,202,203,206,209],{},[192,204,205],{},"Dependabot security updates",[192,207,208],{},"脆弱性修正のPRを自動生成",[192,210,200],{},[174,212,213,216,223],{},[192,214,215],{},"Dependabot version updates",[192,217,218,219,222],{},"バージョン更新のPRを自動生成（要 ",[42,220,221],{},"dependabot.yml","）",[192,224,200],{},[174,226,227,230,233],{},[192,228,229],{},"Secret scanning",[192,231,232],{},"コミット内のシークレットを検出してアラート",[192,234,235],{},"Free個人OK（公開・非公開とも）",[174,237,238,241,244],{},[192,239,240],{},"Push protection",[192,242,243],{},"シークレット検出時に push 自体を拒否",[192,245,200],{},[174,247,248,251,254],{},[192,249,250],{},"Code scanning (CodeQL)",[192,252,253],{},"静的解析でコードの脆弱性を検出",[192,255,256],{},"private は Advanced Security 必須（有料）",[14,258,259,260,263],{},"つまり",[37,261,262],{},"Code Scanning(CodeQL) と Branch Protection 以外は GitHub Free 個人アカウントでも全部無料で使える","。これに気付いてから一気にやる気が出た。",[10,265,267],{"id":266},"enable-allボタンの罠","「Enable all」ボタンの罠",[14,269,270,271,274],{},"個人アカウントの Code security and analysis ページには Enable all ボタンがある。押せば全部ONになると思っていたが、押した後で覗いてみると ",[37,272,273],{},"Dependabot 系3項目のみ一括適用","され、Secret Scanning と Push Protection（private repo 用）は対象外だった。",[14,276,277],{},"これらは1リポずつ API を叩くか、CLI ループで一括適用する必要がある。「ボタン1つで終わると思ったのに罠だった」と気付くまでに15分くらい無駄にした。",[10,279,281],{"id":280},"_158リポの現状を-gh-api-でバックグラウンド一括取得","158リポの現状を gh API でバックグラウンド一括取得",[14,283,284],{},"頭で考えても分からないので、まず全リポの現状をJSONで吸い出すことにした。",[73,286,288],{"className":75,"code":287,"language":77,"meta":78,"style":78},"gh api graphql --paginate -f query='\n  query($endCursor: String) {\n    viewer {\n      repositories(first: 100, after: $endCursor, ownerAffiliations: OWNER) {\n        pageInfo { hasNextPage endCursor }\n        nodes {\n          name\n          isPrivate\n          isFork\n          hasVulnerabilityAlertsEnabled\n        }\n      }\n    }\n  }'\n",[42,289,290,310,315,321,327,333,339,345,351,357,363,369,375,381],{"__ignoreMap":78},[82,291,292,294,296,299,302,305,308],{"class":84,"line":85},[82,293,89],{"class":88},[82,295,93],{"class":92},[82,297,298],{"class":92}," graphql",[82,300,301],{"class":99}," --paginate",[82,303,304],{"class":99}," -f",[82,306,307],{"class":92}," query=",[82,309,116],{"class":109},[82,311,312],{"class":84,"line":103},[82,313,314],{"class":92},"  query($endCursor: String) {\n",[82,316,318],{"class":84,"line":317},3,[82,319,320],{"class":92},"    viewer {\n",[82,322,324],{"class":84,"line":323},4,[82,325,326],{"class":92},"      repositories(first: 100, after: $endCursor, ownerAffiliations: OWNER) {\n",[82,328,330],{"class":84,"line":329},5,[82,331,332],{"class":92},"        pageInfo { hasNextPage endCursor }\n",[82,334,336],{"class":84,"line":335},6,[82,337,338],{"class":92},"        nodes {\n",[82,340,342],{"class":84,"line":341},7,[82,343,344],{"class":92},"          name\n",[82,346,348],{"class":84,"line":347},8,[82,349,350],{"class":92},"          isPrivate\n",[82,352,354],{"class":84,"line":353},9,[82,355,356],{"class":92},"          isFork\n",[82,358,360],{"class":84,"line":359},10,[82,361,362],{"class":92},"          hasVulnerabilityAlertsEnabled\n",[82,364,366],{"class":84,"line":365},11,[82,367,368],{"class":92},"        }\n",[82,370,372],{"class":84,"line":371},12,[82,373,374],{"class":92},"      }\n",[82,376,378],{"class":84,"line":377},13,[82,379,380],{"class":92},"    }\n",[82,382,384,387],{"class":84,"line":383},14,[82,385,386],{"class":92},"  }",[82,388,116],{"class":109},[14,390,391],{},"private 145、public 13、合計158リポ。多い。",[14,393,394],{},"バッチ処理にするためシェルスクリプトに落としたところ、2つバグを踏んだ。",[396,397,399],"h3",{"id":398},"バグ1-行末の-cr-が混入","バグ1: 行末の CR が混入",[14,401,402,403,406,407,410],{},"PowerShellで生成したリポ名リストを Git Bash で読ませたら、リポ名末尾に ",[42,404,405],{},"\\r"," が混入して ",[42,408,409],{},"gh api repos/keikomatsu/foo\\r/..."," という URL を投げて404の山が出た。",[73,412,414],{"className":75,"code":413,"language":77,"meta":78,"style":78},"# 修正版: tr で CR を除去してから読む\ncat repos.txt | tr -d '\\r' | while read repo; do\n  gh api \"repos/keikomatsu/$repo\" --jq '.security_and_analysis' >> out.json\ndone\n",[42,415,416,422,467,499],{"__ignoreMap":78},[82,417,418],{"class":84,"line":85},[82,419,421],{"class":420},"sxvE3","# 修正版: tr で CR を除去してから読む\n",[82,423,424,427,430,434,437,440,442,444,447,449,453,457,460,464],{"class":84,"line":103},[82,425,426],{"class":88},"cat",[82,428,429],{"class":92}," repos.txt",[82,431,433],{"class":432},"stQ0i"," |",[82,435,436],{"class":88}," tr",[82,438,439],{"class":99}," -d",[82,441,110],{"class":109},[82,443,405],{"class":92},[82,445,446],{"class":109},"'",[82,448,433],{"class":432},[82,450,452],{"class":451},"sHkkW"," while",[82,454,456],{"class":455},"sz8Xr"," read",[82,458,459],{"class":92}," repo",[82,461,463],{"class":462},"shFtX",";",[82,465,466],{"class":451}," do\n",[82,468,469,472,474,477,480,483,486,488,491,493,496],{"class":84,"line":317},[82,470,471],{"class":88},"  gh",[82,473,93],{"class":92},[82,475,476],{"class":109}," \"",[82,478,479],{"class":92},"repos/keikomatsu/$repo",[82,481,482],{"class":109},"\"",[82,484,485],{"class":99}," --jq",[82,487,110],{"class":109},[82,489,490],{"class":92},".security_and_analysis",[82,492,446],{"class":109},[82,494,495],{"class":432}," >>",[82,497,498],{"class":92}," out.json\n",[82,500,501],{"class":84,"line":323},[82,502,503],{"class":451},"done\n",[396,505,507],{"id":506},"バグ2-json-空値の処理","バグ2: JSON 空値の処理",[14,509,510,512,513,516,517,520],{},[42,511,143],{}," がそもそも null で返ってくるリポがあって、",[42,514,515],{},"--jq"," の出力が空行になり、後段の集計で行ズレを起こした。",[42,518,519],{},"// {}"," でデフォルト値を入れて潰した。",[73,522,524],{"className":75,"code":523,"language":77,"meta":78,"style":78},"gh api \"repos/keikomatsu/$repo\" \\\n  --jq '{repo: \"'$repo'\", sa: (.security_and_analysis // {})}' \\\n  >> out.json\n",[42,525,526,540,564],{"__ignoreMap":78},[82,527,528,530,532,534,536,538],{"class":84,"line":85},[82,529,89],{"class":88},[82,531,93],{"class":92},[82,533,476],{"class":109},[82,535,479],{"class":92},[82,537,482],{"class":109},[82,539,100],{"class":99},[82,541,542,544,546,549,551,555,557,560,562],{"class":84,"line":103},[82,543,106],{"class":99},[82,545,110],{"class":109},[82,547,548],{"class":92},"{repo: \"",[82,550,446],{"class":109},[82,552,554],{"class":553},"s4oTP","$repo",[82,556,446],{"class":109},[82,558,559],{"class":92},"\", sa: (.security_and_analysis // {})}",[82,561,446],{"class":109},[82,563,100],{"class":99},[82,565,566,569],{"class":84,"line":317},[82,567,568],{"class":432},"  >>",[82,570,498],{"class":92},[14,572,573,574,577,578,580],{},"修正後に再実行。順調に進んでいたが ",[37,575,576],{},"95件目あたりで急激に遅くなった","。レートリミットに近づいているか、",[42,579,143],{}," を返すエンドポイントが重いのか切り分けは保留。",[14,582,583],{},"「明日 Plan A を実行すれば結局全リポONにするんだから、95件取れた時点の傾向で十分判断できる」と割り切って打ち切った。",[10,585,587],{"id":586},"_95件分の集計結果","95件分の集計結果",[14,589,590],{},"集計してみたら、想像以上にひどかった。",[31,592,593,598,601,604],{},[34,594,595],{},[37,596,597],{},"Dependabot 系がONなのは eurekapu-nuxt4 の1件だけ",[34,599,600],{},"他に「ON」と出ているのは Anthropic 公式リポの fork（claude-code-action 系）で、これは fork 元のデフォルト継承",[34,602,603],{},"自分が能動的にONにしたリポは実質1件",[34,605,606],{},"Secret Scanning / Push Protection は全リポでOFF（取得できた範囲）",[14,608,609,612],{},[37,610,611],{},"実質ノーガード状態","だった。記事を読んで対策を整理した自分の午前中の偉さが、午後の現状把握で完全に相殺された。",[10,614,616],{"id":615},"plan-a-b-c-を3択に整理","Plan A / B / C を3択に整理",[14,618,619],{},"明日の自分が選びやすいように、対応方針を3つに分けた。",[396,621,623],{"id":622},"plan-a-全リポ一括on推奨","Plan A: 全リポ一括ON（推奨）",[14,625,626],{},"158リポ全部にDependabot系3つ + Secret Scanning + Push Protection を一括適用。CLIループで30分くらい。",[73,628,630],{"className":75,"code":629,"language":77,"meta":78,"style":78},"# Push Protection を private repo に有効化する例\ngh api -X PATCH \"repos/keikomatsu/$repo\" \\\n  -f security_and_analysis[secret_scanning_push_protection][status]=enabled\n",[42,631,632,637,657],{"__ignoreMap":78},[82,633,634],{"class":84,"line":85},[82,635,636],{"class":420},"# Push Protection を private repo に有効化する例\n",[82,638,639,641,643,646,649,651,653,655],{"class":84,"line":103},[82,640,89],{"class":88},[82,642,93],{"class":92},[82,644,645],{"class":99}," -X",[82,647,648],{"class":92}," PATCH",[82,650,476],{"class":109},[82,652,479],{"class":92},[82,654,482],{"class":109},[82,656,100],{"class":99},[82,658,659,662],{"class":84,"line":317},[82,660,661],{"class":99},"  -f",[82,663,664],{"class":92}," security_and_analysis[secret_scanning_push_protection][status]=enabled\n",[14,666,667],{},"メリット: 一気に終わる。デメリット: fork した他人のリポにもPRが飛び始める可能性。",[396,669,671],{"id":670},"plan-b-アクティブな10リポだけon","Plan B: アクティブな10リポだけON",[14,673,674],{},"過去90日にcommitがあったリポだけ抽出してON。Plan A の8割の効果を1割の手間で。",[396,676,678],{"id":677},"plan-c-eurekapu-nuxt4-だけon","Plan C: eurekapu-nuxt4 だけON",[14,680,681],{},"最重要1リポだけ完璧にする。残り157リポはノーガードを受け入れる。",[10,683,685],{"id":684},"明日のtodoドキュメントに落とす","明日のTODOドキュメントに落とす",[14,687,688,691],{},[42,689,690],{},"memo/2026-05-02/github-security-current-state.md"," に Plan A/B/C のチェックボックスと、それぞれのコマンド例をコピペできる形で残した。明日の朝、寝起きの自分がチェックボックスを1つ埋めて、ターミナルにペーストすれば動き始めるはず。",[73,693,697],{"className":694,"code":695,"language":696,"meta":78,"style":78},"language-markdown shiki shiki-themes vitesse-light vitesse-light","## TL;DR\n- 158リポ中、実質的に守られているのは1リポだけ\n- Plan A/B/Cから1つ選んで実行する\n\n## 選択\n- [ ] Plan A: 全リポ一括ON（30分）\n- [ ] Plan B: アクティブ10リポのみ（10分）\n- [ ] Plan C: eurekapu-nuxt4 のみ（5分）\n","markdown",[42,698,699,709,718,725,731,738,745,752],{"__ignoreMap":78},[82,700,701,705],{"class":84,"line":85},[82,702,704],{"class":703},"sFA8A","##",[82,706,708],{"class":707},"syTZV"," TL;DR\n",[82,710,711,714],{"class":84,"line":103},[82,712,713],{"class":99},"-",[82,715,717],{"class":716},"sG7-3"," 158リポ中、実質的に守られているのは1リポだけ\n",[82,719,720,722],{"class":84,"line":317},[82,721,713],{"class":99},[82,723,724],{"class":716}," Plan A/B/Cから1つ選んで実行する\n",[82,726,727],{"class":84,"line":323},[82,728,730],{"emptyLinePlaceholder":729},true,"\n",[82,732,733,735],{"class":84,"line":329},[82,734,704],{"class":703},[82,736,737],{"class":707}," 選択\n",[82,739,740,742],{"class":84,"line":335},[82,741,713],{"class":99},[82,743,744],{"class":716}," [ ] Plan A: 全リポ一括ON（30分）\n",[82,746,747,749],{"class":84,"line":341},[82,748,713],{"class":99},[82,750,751],{"class":716}," [ ] Plan B: アクティブ10リポのみ（10分）\n",[82,753,754,756],{"class":84,"line":347},[82,755,713],{"class":99},[82,757,758],{"class":716}," [ ] Plan C: eurekapu-nuxt4 のみ（5分）\n",[10,760,761],{"id":761},"学び",[31,763,764,767,774],{},[34,765,766],{},"「対策の網羅リスト」と「現状把握」はセットで作らないと、来月もう一度同じ作業をする",[34,768,769,770,773],{},"gh API は便利だが、95件目で重くなる現象に遭遇した。次回は最初から並列度を絞るか、",[42,771,772],{},"--paginate"," で1回投げるか検討",[34,775,776,777,779,780,783],{},"security_events スコープがないと ",[42,778,143],{}," フィールドが null で返ってくる。最初に ",[42,781,782],{},"gh auth refresh -s security_events"," してから始めるべきだった",[10,785,787],{"id":786},"明日の実行コマンドplan-a-の場合","明日の実行コマンド（Plan A の場合）",[73,789,791],{"className":75,"code":790,"language":77,"meta":78,"style":78},"# 1. スコープを追加\ngh auth refresh -s security_events,repo\n\n# 2. 全リポリストを取得\ngh repo list keikomatsu --limit 200 --json name,isPrivate \\\n  --jq '.[] | select(.isPrivate==true) | .name' > private_repos.txt\n\n# 3. Dependabot alerts + Secret Scanning + Push Protection を一括ON\ncat private_repos.txt | tr -d '\\r' | while read repo; do\n  gh api -X PUT \"repos/keikomatsu/$repo/vulnerability-alerts\"\n  gh api -X PUT \"repos/keikomatsu/$repo/automated-security-fixes\"\n  gh api -X PATCH \"repos/keikomatsu/$repo\" \\\n    -f 'security_and_analysis[secret_scanning][status]=enabled' \\\n    -f 'security_and_analysis[secret_scanning_push_protection][status]=enabled'\n  echo \"done: $repo\"\ndone\n",[42,792,793,798,814,818,823,850,867,871,876,907,926,943,961,975,986,999],{"__ignoreMap":78},[82,794,795],{"class":84,"line":85},[82,796,797],{"class":420},"# 1. スコープを追加\n",[82,799,800,802,805,808,811],{"class":84,"line":103},[82,801,89],{"class":88},[82,803,804],{"class":92}," auth",[82,806,807],{"class":92}," refresh",[82,809,810],{"class":99}," -s",[82,812,813],{"class":92}," security_events,repo\n",[82,815,816],{"class":84,"line":317},[82,817,730],{"emptyLinePlaceholder":729},[82,819,820],{"class":84,"line":323},[82,821,822],{"class":420},"# 2. 全リポリストを取得\n",[82,824,825,827,829,832,835,838,842,845,848],{"class":84,"line":329},[82,826,89],{"class":88},[82,828,459],{"class":92},[82,830,831],{"class":92}," list",[82,833,834],{"class":92}," keikomatsu",[82,836,837],{"class":99}," --limit",[82,839,841],{"class":840},"sM54T"," 200",[82,843,844],{"class":99}," --json",[82,846,847],{"class":92}," name,isPrivate",[82,849,100],{"class":99},[82,851,852,854,856,859,861,864],{"class":84,"line":335},[82,853,106],{"class":99},[82,855,110],{"class":109},[82,857,858],{"class":92},".[] | select(.isPrivate==true) | .name",[82,860,446],{"class":109},[82,862,863],{"class":432}," >",[82,865,866],{"class":92}," private_repos.txt\n",[82,868,869],{"class":84,"line":341},[82,870,730],{"emptyLinePlaceholder":729},[82,872,873],{"class":84,"line":347},[82,874,875],{"class":420},"# 3. Dependabot alerts + Secret Scanning + Push Protection を一括ON\n",[82,877,878,880,883,885,887,889,891,893,895,897,899,901,903,905],{"class":84,"line":353},[82,879,426],{"class":88},[82,881,882],{"class":92}," private_repos.txt",[82,884,433],{"class":432},[82,886,436],{"class":88},[82,888,439],{"class":99},[82,890,110],{"class":109},[82,892,405],{"class":92},[82,894,446],{"class":109},[82,896,433],{"class":432},[82,898,452],{"class":451},[82,900,456],{"class":455},[82,902,459],{"class":92},[82,904,463],{"class":462},[82,906,466],{"class":451},[82,908,909,911,913,915,918,920,923],{"class":84,"line":359},[82,910,471],{"class":88},[82,912,93],{"class":92},[82,914,645],{"class":99},[82,916,917],{"class":92}," PUT",[82,919,476],{"class":109},[82,921,922],{"class":92},"repos/keikomatsu/$repo/vulnerability-alerts",[82,924,925],{"class":109},"\"\n",[82,927,928,930,932,934,936,938,941],{"class":84,"line":365},[82,929,471],{"class":88},[82,931,93],{"class":92},[82,933,645],{"class":99},[82,935,917],{"class":92},[82,937,476],{"class":109},[82,939,940],{"class":92},"repos/keikomatsu/$repo/automated-security-fixes",[82,942,925],{"class":109},[82,944,945,947,949,951,953,955,957,959],{"class":84,"line":371},[82,946,471],{"class":88},[82,948,93],{"class":92},[82,950,645],{"class":99},[82,952,648],{"class":92},[82,954,476],{"class":109},[82,956,479],{"class":92},[82,958,482],{"class":109},[82,960,100],{"class":99},[82,962,963,966,968,971,973],{"class":84,"line":377},[82,964,965],{"class":99},"    -f",[82,967,110],{"class":109},[82,969,970],{"class":92},"security_and_analysis[secret_scanning][status]=enabled",[82,972,446],{"class":109},[82,974,100],{"class":99},[82,976,977,979,981,984],{"class":84,"line":383},[82,978,965],{"class":99},[82,980,110],{"class":109},[82,982,983],{"class":92},"security_and_analysis[secret_scanning_push_protection][status]=enabled",[82,985,116],{"class":109},[82,987,989,992,994,997],{"class":84,"line":988},15,[82,990,991],{"class":455},"  echo",[82,993,476],{"class":109},[82,995,996],{"class":92},"done: $repo",[82,998,925],{"class":109},[82,1000,1002],{"class":84,"line":1001},16,[82,1003,503],{"class":451},[14,1005,1006],{},"寝る前に書いておくと、起きた自分がコピペするだけで済む。これがひとり開発の引き継ぎ術。",[1008,1009,1010],"style",{},"html pre.shiki code .senZ8, html code.shiki .senZ8{--shiki-default:#59873A;--shiki-dark:#59873A}html pre.shiki code .sdGka, html code.shiki .sdGka{--shiki-default:#B56959;--shiki-dark:#B56959}html pre.shiki code .snbK4, html code.shiki .snbK4{--shiki-default:#A65E2B;--shiki-dark:#A65E2B}html pre.shiki code .sMJiu, html code.shiki .sMJiu{--shiki-default:#B5695977;--shiki-dark:#B5695977}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sxvE3, html code.shiki .sxvE3{--shiki-default:#A0ADA0;--shiki-dark:#A0ADA0}html pre.shiki code .stQ0i, html code.shiki .stQ0i{--shiki-default:#AB5959;--shiki-dark:#AB5959}html pre.shiki code .sHkkW, html code.shiki .sHkkW{--shiki-default:#1E754F;--shiki-dark:#1E754F}html pre.shiki code .sz8Xr, html code.shiki .sz8Xr{--shiki-default:#998418;--shiki-dark:#998418}html pre.shiki code .shFtX, html code.shiki .shFtX{--shiki-default:#999999;--shiki-dark:#999999}html pre.shiki code .s4oTP, html code.shiki .s4oTP{--shiki-default:#B07D48;--shiki-dark:#B07D48}html pre.shiki code .sFA8A, html code.shiki .sFA8A{--shiki-default:#999999;--shiki-default-font-weight:bold;--shiki-dark:#999999;--shiki-dark-font-weight:bold}html pre.shiki code .syTZV, html code.shiki .syTZV{--shiki-default:#1C6B48;--shiki-default-font-weight:bold;--shiki-dark:#1C6B48;--shiki-dark-font-weight:bold}html pre.shiki code .sG7-3, html code.shiki .sG7-3{--shiki-default:#393A34;--shiki-dark:#393A34}html pre.shiki code .sM54T, html code.shiki .sM54T{--shiki-default:#2F798A;--shiki-dark:#2F798A}",{"title":78,"searchDepth":103,"depth":103,"links":1012},[1013,1014,1015,1016,1017,1018,1022,1023,1028,1029,1030],{"id":12,"depth":103,"text":12},{"id":25,"depth":103,"text":26},{"id":67,"depth":103,"text":68},{"id":158,"depth":103,"text":159},{"id":266,"depth":103,"text":267},{"id":280,"depth":103,"text":281,"children":1019},[1020,1021],{"id":398,"depth":317,"text":399},{"id":506,"depth":317,"text":507},{"id":586,"depth":103,"text":587},{"id":615,"depth":103,"text":616,"children":1024},[1025,1026,1027],{"id":622,"depth":317,"text":623},{"id":670,"depth":317,"text":671},{"id":677,"depth":317,"text":678},{"id":684,"depth":103,"text":685},{"id":761,"depth":103,"text":761},{"id":786,"depth":103,"text":787},"dev","ある会計ソフトAのソースコード流出事件をきっかけに、自分のGitHubアカウント158リポを一気に棚卸しした記録。gh CLIで全リポのDependabot/Secret Scanning/Push Protectionの有効状況を取得し、Plan A/B/Cの判断軸を整理して明日のTODOまで落とす過程を、API取得スクリプトのCR・空値バグ込みで時系列に残す。","md",{},null,"/github-security-audit-prep","mdx-playground",false,"2026-05-02T00:00:00.000Z",{"title":5,"description":1032},"2026-05/2026-05-02/github-security-audit-prep",[1043,1044,1045,1046,1047,1048],"github","security","dependabot","push-protection","secret-scanning","gh-cli","active","gaUdMODR2DFdyaZnrFgjCeAsCLh-Kzrm6mEB0rLVZMs",[],"https://log.eurekapu.com/og/blog/github-security-audit-prep.png?v=2026-05-02T00%3A00%3A00.000Z&title=GitHub%20158%E3%83%AA%E3%83%9D%E3%82%92%E6%A3%9A%E5%8D%B8%E3%81%97%E3%80%81Dependabot%E3%83%BBPush%20Protection%E3%83%BBSecret%20Scanning%E3%81%AE%E7%8F%BE%E7%8A%B6%E6%8A%8A%E6%8F%A1%E3%81%8B%E3%82%89%E6%98%8E%E6%97%A5%E3%81%AETODO%E3%81%B8&author=Kei%20Komatsu&sig=93997f286f4878fb",1782528831965]