gitrob 0.0.6 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 233269393064c9df0a4e4cf715f89b61da4cfaf1
-  data.tar.gz: 67367c7bb7b8e9e879b69d11e8d3afc00d4c2c01
+  metadata.gz: 7bee31c09fd95a535639f152d7e8263f6d8371b6
+  data.tar.gz: ef6bd6835050fd1fbc95f257d178159ceaa4dc07
 SHA512:
-  metadata.gz: 9a073a5a96890fb8fdc37c839c2debd118f7951ea53736ce60e29dd8924e52af65d2937e8742a9041518922dfd393e212aabc5794cb751c577ae2c20b70d5afd
-  data.tar.gz: 94184271f33c605d018556bb9b0a3d61d2a8d28b767d084286011aabe2af3cc9502d7d6ae28ade7cacc13c89319b8898031bfd08cdd3577034b2e7ccd68b5fbd
+  metadata.gz: 22d231f7dfb893caac0778a6d7b22672dc19d09b6cd89248b1331157d3bd8d214f32407a9c795eeb788ba3d4343b7e10036b23ce26acd0f48dc9ed85ceb2aab9
+  data.tar.gz: f4354301d88494ecdfbde6d82172b2e595f0b6380119c27a5510cf3c085f901279883da5eccfdf47a2cb5b498aedebca770fa3dea5536c2ef035211fa06e8ad5

data/.gitignore

@@ -7,12 +7,35 @@
 /pkg/
 /spec/reports/
 /tmp/
-*.bundle
-*.so
-*.o
-*.a
-*.swp
-mkmf.log
 .ruby-version
 .ruby-gemset
-agreement
+agreement.txt
+coverage
+TODO.md
+.directory
+.Trash-*
+.DS_Store
+.AppleDouble
+.LSOverride
+Icon
+._*
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+*.tmproj
+*.tmproject
+tmtags
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+*~

data/.rspec

@@ -1,2 +1 @@
 --color
---require spec_helper

data/.rubocop.yml

@@ -0,0 +1,55 @@
+AllCops:
+  Exclude:
+    - "*.gemspec"
+
+Metrics/AbcSize:
+  Exclude:
+    - "spec/**/*"
+
+Metrics/MethodLength:
+  Exclude:
+    - "spec/**/*"
+
+Metrics/ClassLength:
+  Exclude:
+    - "spec/**/*"
+
+Metrics/LineLength:
+  Exclude:
+    - "db/migrations/**"
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/DoubleNegation:
+  Enabled: false
+
+Lint/AssignmentInCondition:
+  Enabled: false
+
+Lint/NestedMethodDefinition:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+Style/MultilineOperationIndentation:
+  Enabled: false
+
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
+
+Style/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: no_space
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Metrics/MethodLength:
+  CountComments: false
+  Max: 20
+
+Metrics/ClassLength:
+  Max: 200

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.1
+before_install: gem install bundler -v 1.10.6

data/CHANGELOG.md

@@ -0,0 +1,42 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased]
+### Added
+ - Complete rewrite of Gitrob
+ - Analyze arbitrary amount of organizations and users
+ - Create and delete assessments directly from web interface
+ - Run Gitrob against GitHub Enterprise installations
+ - Compare two assessments to find new/modified files as well as new users and repositories
+ - Highlight interesting things such as hostnames, IPs, email addresses and tokens in files
+ - Detect likely testing/mock related files
+ - General web UI/UX improvements
+ - More tests
+
+### Changed
+ - Use [sequel](https://rubygems.org/gems/sequel) Gem for database operations
+ - Use [github_api](https://rubygems.org/gems/github_api) Gem for GitHub API operations
+ - Use [thor](https://rubygems.org/gems/thor) Gem for CLI
+ - Rename `patterns.json` to `signatures.json`
+
+### New signatures
+ - SSH configuration files (`path =~ /\.?ssh/config\z/`)
+ - Postgresql password files (`filename =~ /\A\.?pgpass\z/`)
+ - AWS CLI credential files (`path =~ /\.?aws/credentials\z/`)
+ - Day One journal files (`extension == "dayone"`)
+ - jrnl journal files (`filename == "journal.txt"`)
+ - Tugboat DigitalOcean management tool configuration files (`filename =~ /\A\.?tugboat\z/`)
+ - git-credential-store helper credential files (`filename =~ /\A\.?git-credentials\z/`)
+ - Git configuration files (`filename =~ /\A\.?gitconfig\z/`)
+ - Chef Knife configuration file (`filename == "knife.rb"`)
+ - Chef private keys (`path =~ /\.?chef/(.*)\.pem\z/`)
+ - cPanel backup ProFTPd credential files (`filename == "proftpdpasswd"`)
+ - Robomongo MongoDB manager configuration files (`filename == "robomongo.json"`)
+ - FileZilla FTP configuration files (`filename == "filezilla.xml"`)
+ - FileZilla FTP recent servers files (`filename == "recentservers.xml"`)
+ - Ventrilo server configuration files (`filename == "ventrilo_srv.ini"`)
+ - Docker configuration files (`filename =~ /\A\.?dockercfg\z/`)
+ - NPM configuration file (`filename =~ /\A\.?npmrc\z/`)
+ - Files containing word: credential (`filename =~ /credential/`)
+ - Files containing word: secret (`filename =~ /secret/`)

data/CONTRIBUTING.md

@@ -1,14 +1,142 @@
-# Contributing
+# Contributing to Gitrob
 
-Gitrob should be considered Beta and there is probably a good amount of bugs. Bug reports and suggestions for improvements are welcome!
+Have a feature idea, bug fix, or refactoring suggestion? Contributions are welcome!
 
-Another way to help out is to contribute new patterns for sensitive files. If you know of any sensitive files that are not already identified, please submit them in a pull request. I am especially interested in sensitive web framework files and configuration files. Have a look at the [patterns.json](https://github.com/michenriksen/gitrob/blob/master/patterns.json) file to see what is already looked for.
+## Reporting Bugs
 
-## How to make a pull request:
+When you are creating a bug report, please [include as many details as possible](#how-do-i-submit-a-good-bug-report). If you'd like, you can use [this template](#template-for-submitting-bug-reports) to structure the information.
 
-1. Fork it ( https://github.com/michenriksen/gitrob/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+### How Do I Submit A (Good) Bug Report?
 
+* **Use a clear and descriptive title** for the issue to identify the problem.
+* **Describe the exact steps which reproduce the problem** in as many details as possible. For example, start by explaining how you started Gitrob, e.g. which command exactly you used in the terminal, or how you started Gitrob otherwise. When listing steps, **don't just say what you did, but explain how you did it**.
+* **Describe the behavior you observed after following the steps** and point out what exactly is the problem with that behavior.
+* **Explain which behavior you expected to see instead and why.**
+* **Include screenshots and animated GIFs** which show you following the described steps and clearly demonstrate the problem. You can use [this tool](http://www.cockos.com/licecap/) to record GIFs on OSX and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux.
+* **If you're reporting that Gitrob crashed**, include a stack trace/debugging information in a [code block](https://help.github.com/articles/markdown-basics/#multiple-lines), a [file attachment](https://help.github.com/articles/file-attachments-on-issues-and-pull-requests/), or put it in a [gist](https://gist.github.com/) and provide link to that gist.
+* **If the problem wasn't triggered by a specific action**, describe what you were doing before the problem happened and share more information using the guidelines below.
+
+Provide more context by answering these questions:
+
+* **Did the problem start happening recently** (e.g. after updating to a new version of Gitrob) or was this always a problem?
+* If the problem started happening recently, **can you reproduce the problem in an older version of Gitrob?** What's the most recent version in which the problem doesn't happen?
+* **Can you reliably reproduce the issue?** If not, provide details about how often the problem happens and under which conditions it normally happens.
+* If the problem is related to analyzing organizations, **does the problem happen for all organizations or only some?**
+
+Include details about your configuration and environment:
+
+* **Which version of Gitrob are you using?** You can get the exact version by running `gitrob` in your terminal, or by looking at the Footer area of the web application.
+* **What's the name and version of the OS you're using**?
+* **What version of Ruby are you running Gitrob with**? You can check the version with `ruby --version` in a terminal
+* **What version of PostgreSQL do you have installed?** You can check the version with `postgres --version` in a terminal
+
+### Template For Submitting Bug Reports
+
+    [Short description of problem here]
+
+    **Reproduction Steps:**
+
+    1. [First Step]
+    2. [Second Step]
+    3. [Other Steps...]
+
+    **Expected behavior:**
+
+    [Describe expected behavior here]
+
+    **Observed behavior:**
+
+    [Describe observed behavior here]
+
+    **Screenshots and GIFs**
+
+    ![Screenshots and GIFs which follow reproduction steps to demonstrate the problem](url)
+
+    **Gitrob version:** [Enter Gitrob version here]
+    **OS and version:** [Enter OS name and version here]
+    **Ruby version:** [Enter Ruby version here]
+    **PostgreSQL version:** [Enter PostgreSQL version here]
+
+    **Additional information:**
+
+    * Problem started happening recently, didn't happen in an older version of Gitrob: [Yes/No]
+    * Problem can be reliably reproduced, doesn't happen randomly: [Yes/No]
+    * Problem happens with all assessments, not only some assessments: [Yes/No]
+
+## Suggesting Enhancements
+
+When you are creating an enhancement suggestion, please [include as many details as possible](#how-do-i-submit-a-good-enhancement-suggestion). If you'd like, you can use [this template](#template-for-submitting-enhancement-suggestions) to structure the information.
+
+### Before Submitting An Enhancement Suggestion
+
+* **Perform a [cursory search](https://github.com/michenriksen/gitrob/issues?utf8=%E2%9C%93&q=is%3Aissue)** to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one.
+
+### How Do I Submit A (Good) Enhancement Suggestion?
+
+Enhancement suggestions are tracked as [GitHub issues](https://guides.github.com/features/issues/). Create an issue and provide the following information:
+
+* **Use a clear and descriptive title** for the issue to identify the suggestion.
+* **Provide a step-by-step description of the suggested enhancement** in as many details as possible.
+* **Provide specific examples to demonstrate the steps**. Include copy/pasteable snippets which you use in those examples, as [Markdown code blocks](https://help.github.com/articles/markdown-basics/#multiple-lines).
+* **Describe the current behavior** and **explain which behavior you expected to see instead** and why.
+* **Include screenshots and animated GIFs** which help you demonstrate the steps or point out the part of Gitrob which the suggestion is related to. You can use [this tool](http://www.cockos.com/licecap/) to record GIFs on OSX and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux.
+* **Explain why this enhancement would be useful** to most Gitrob users.
+* **Specify which version of Gitrob you're using.** You can get the exact version by running `gitrob` in your terminal, or by looking at the Footer area of the web application.
+* **Specify the name and version of the OS you're using.**
+
+### Template For Submitting Enhancement Suggestions
+
+    [Short description of suggestion]
+
+    **Steps which explain the enhancement**
+
+    1. [First Step]
+    2. [Second Step]
+    3. [Other Steps...]
+
+    **Current and suggested behavior**
+
+    [Describe current and suggested behavior here]
+
+    **Why would the enhancement be useful to most users**
+
+    [Explain why the enhancement would be useful to most users]
+
+    **Screenshots and GIFs**
+
+    ![Screenshots and GIFs which demonstrate the steps or part of Gitrob the enhancement suggestion is related to](url)
+
+    **Gitrob Version:** [Enter Gitrob version here]
+    **OS and Version:** [Enter OS name and version here]
+
+
+## Pull Requests
+
+1. Check [Issues][] to see if your contribution has already been discussed and/or implemented.
+2. If not, open an issue to discuss your contribution. I won't accept all changes and do not want to waste your time.
+3. Once you have the :thumbsup:, fork the repo, make your changes, and open a PR.
+4. Don't forget to add your contribution and credit yourself in `CHANGELOG.md`!
+
+## Coding Guidelines
+
+* This project has a coding style enforced by [RuboCop][]. Use hash rockets and double-quoted strings, and otherwise try to follow the [Ruby style guide][style].
+* Writing tests is strongly encouraged! This project uses RSpec.
+
+## Getting Started
+
+After checking out the repo, run `bin/setup` to install dependencies.
+
+Gitrob offers the following development and testing commands:
+
+* `bin/console` loads your working copy of Gitrob into an irb session
+* `bundle exec gitrob` runs your working copy of the Gitrob executable
+* `rake` executes all of Gitrob's tests and RuboCop checks
+
+A Guardfile is also present, so if you'd like to use Guard to do a TDD workflow, then:
+
+1. Run `bundle install --with guard` to get the optional guard dependencies
+2. Run `guard` to monitor the filesystem and automatically run tests as you work
+
+[Issues]: https://github.com/michenriksen/gitrob/issues
+[RuboCop]: https://github.com/bbatsov/rubocop
+[style]: https://github.com/bbatsov/ruby-style-guide

data/Gemfile

@@ -1,4 +1,14 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in gitrob.gemspec
 gemspec
+
+# Optional development dependencies; requires bundler >= 1.10.
+# Note that these gems assume a Ruby 2.2 environment. Install them using:
+#
+# bundle install --with guard
+#
+group :guard, :optional => true do
+  gem "guard-rspec"
+  gem "terminal-notifier-guard"
+end

data/Guardfile

@@ -0,0 +1,42 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+## Uncomment and set this to only include directories you want to watch
+# directories %w(app lib config test spec features) \
+#  .select{|d| Dir.exists?(d) ? d : UI.warning("Directory #{d} does not exist")}
+
+## Note: if you are using the `directories` clause above and you are not
+## watching the project directory ('.'), then you will want to move
+## the Guardfile to a watched dir and symlink it back, e.g.
+#
+#  $ mkdir config
+#  $ mv Guardfile config/
+#  $ ln -s config/Guardfile .
+#
+# and, you'll have to watch "config/Guardfile" instead of "Guardfile"
+
+# Note: The cmd option is now required due to the increasing number of ways
+#       rspec may be run, below are examples of the most common uses.
+#  * bundler: 'bundle exec rspec'
+#  * bundler binstubs: 'bin/rspec'
+#  * spring: 'bin/rspec' (This will use spring if running and you have
+#                          installed the spring binstubs per the docs)
+#  * zeus: 'zeus rspec' (requires the server to be started separately)
+#  * 'just' rspec: 'rspec'
+
+guard :rspec, :cmd => "bundle exec rspec -f doc", :title => "Gitrob" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # Feel free to open issues for suggestions and improvements
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+end

data/LICENSE.txt

@@ -1,22 +1,21 @@
-Copyright (c) 2014 Michael Henriksen
+The MIT License (MIT)
 
-MIT License
+Copyright (c) 2016 Michael Henriksen
 
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,53 +1,103 @@
-# Gitrob
+# Gitrob: Putting the Open Source in OSINT
 
-Developers generally like to share their code, and many of them do so by open sourcing it on GitHub, a social code hosting and collaboration service. Many companies also use GitHub as a convenient place to host both private and public code repositories by creating GitHub organizations where employees can be joined.
+Gitrob is a command line tool which can help organizations and security professionals find sensitive information lingering in publicly available files on GitHub. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.
 
-Sometimes employees might publish things that should not be publicly available, things that contain sensitive information or things that could even lead to direct compromise of a system. This can happen by accident or because the employee does not know the sensitivity of the information.
-
-Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files, that typically contain sensitive or dangerous information.
-
-Read the [blog post](http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/) for more information and screenshots.
+Looking for sensitive information in GitHub repositories is not a new thing, it has been [known for a while](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html) that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.
 
-## How it works
+## Installation
 
-Looking for sensitive information in GitHub repositories is not a new thing, it has been [known for a while](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html) that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.
+### 1. Ruby
 
-The first thing the tool does is to collect all public repositories of the organization itself. It then goes on to collect all the organization members and their public repositories, in order to compile a list of repositories that might be related or have relevance to the organization.
+Gitrob is written in [Ruby](https://www.ruby-lang.org/) and requires at least version 1.9.3 or above. To check which version of Ruby you have installed, simply run `ruby --version` in a terminal.
 
-When the list of repositories has been compiled, it proceeds to gather all the filenames in each repository and runs them through a series of observers that will flag the files, if they match any patterns of known sensitive files. This step might take a while if the organization is big or if the members have a lot of public repositories.
+Should you have an older version installed, it is very easy to upgrade and manage different versions with the Ruby Version Manager ([RVM](https://rvm.io/)). Please see the [RVM website](https://rvm.io/) for installation instructions.
 
-All of the members, repositories and files will be saved to a PostgreSQL database. When everything has been sifted through, it will start a Sinatra web server locally on the machine, which will serve a simple web application to present the collected data for analysis.
+### 2. RubyGems
 
-## Installation
+Gitrob is packaged as a Ruby gem to make it easy to install and update. To install Ruby gems you'll need the RubyGems tool installed. To check if you have it already, type `gem` in a Terminal. If you got it already, it is recommended to do a quick `gem update --system` to make sure you have the latest and greatest version. In case you don't have it installed, download it from [here](https://rubygems.org/pages/download) and follow the simple installation instructions.
 
-Gitrob is written in Ruby and requires at least version 1.9.3 or above, except for version 2.2.0 which is currently not compatible. If you are on an older version, it is very easy to install newer versions with [RVM](http://rvm.io/). If you are installing Gitrob on [Kali](http://www.kali.org/), you are almost good to go, you just need to update Bundler with `gem install bundler`. It might also be necessary to install a PostgreSQL dependency with `apt-get install postgresql-server-dev-9.1` and a Ruby dependency with `apt-get install ruby1.9.1-dev` in a terminal.
+### 3. PostgreSQL
 
-Gitrob is a Ruby gem, so installation is a simple `gem install gitrob` in a terminal. This will automatically install all the code dependencies as well.
+Gitrob uses a PostgreSQL database to store all the collected data. If you are setting up Gitrob in the [Kali](https://www.kali.org/) linux distribution you already have it installed, you just need to make sure it's running by executing `service postgresql start` and install a dependency with `apt-get install libpq-dev` in a terminal. Here's an excellent [guide](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-9-4-on-debian-8) on how to install PostgreSQL on a Debian based Linux system. If you are setting up Gitrob on a Mac, the easiest way to install PostgreSQL is with [Homebrew](http://brew.sh/). Here's a [guide](http://exponential.io/blog/2015/02/21/install-postgresql-on-mac-os-x-via-brew/) on how to install PostgreSQL with Homebrew.
 
-A [PostgreSQL](http://www.postgresql.org/) database is also needed for Gitrob to store its data. Installing PostgreSQL is pretty straight forward; here is an installation guide for [Mac OS X](http://www.gotealeaf.com/blog/how-to-install-postgresql-on-a-mac) and one for [Ubuntu/Debian](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-14-04) based Linux. If you're installing Gitrob on Kali, you already have PostgreSQL installed, however you need to start the server with `service postgresql start` in a terminal.
+#### 3.1 PostgreSQL user and database
 
-When PostgreSQL is installed, it's time to create a user and a database for Gitrob. To do so, type the following commands in a terminal:
+You need to set up a user and a database in PostgreSQL for Gitrob. Execute the following commands in a terminal:
 
     sudo su postgres # Not necessary on Mac OS X
     createuser -s gitrob --pwprompt
     createdb -O gitrob gitrob
 
-The last thing we need is a GitHub access token in order to be able to talk to their API. The easiest way is to create a [personal access token](https://github.com/settings/applications). If you plan on using Gitrob extensively or on a very big organization, it might be necessary to have multiple access tokens to prevent running into rate limiting, but they need to be from different user accounts.
+You now have a new PostgreSQL user with the name `gitrob` and with the password you typed into the prompt. You also created a database with the name `gitrob` which is owned by the `gitrob` user.
 
-When everything is ready, simply run `gitrob --configure` and you will be presented with a configuration wizard that asks you for database connection details and GitHub access tokens. All of this configuration can be changed by running the same command again. The configuration will be saved in `~/.gitrobrc` - and yes, Gitrob is looking for this file too so watch out.
+### 4. GitHub access tokens
 
-When everything is set up, you can start analyzing organizations by running `gitrob -o <orgname>` in a terminal. To see options, use `gitrob --help`.
+Gitrob works by querying the [GitHub API](https://developer.github.com/v3/) for interesting information, so you need at least one access token to get up and running. The easiest way is to create a [Personal Access Token](https://github.com/settings/tokens). Press the `Generate new token` button and give the token a description. If you intend on using Gitrob against organizations you're not a member of you don't need to give the token any scopes, as we will only be accessing public data. If you intend to run Gitrob against your own organization, you'll need to check the `read:org` scope to get full coverage.
 
-## Contributing
+If you plan on using Gitrob extensively or against a very large organization, it might be necessary to have multiple access tokens to avoid running into rate limiting. These access tokens will have to be from different user accounts.
+
+### 5. Gitrob
+
+With all the previous steps completed, you can now finally install Gitrob itself with the following command in a terminal:
+
+    gem install gitrob
+
+This will install the Gitrob Ruby gem along with all its dependencies. Congratulations!
+
+### 6. Configuring Gitrob
+
+Gitrob needs to know how to talk to the PostgreSQL database as well as what access token to use to access the GitHub API. Gitrob comes with a convenient configuration wizard which can be invoked with the following command in a terminal:
+
+    gitrob configure
+
+The configuration wizard will ask you for the information needed to set up Gitrob. All the information is saved to `~/.gitrobrc` and yes, Gitrob will be looking for this file too, so watch out!
+
+## Usage
+
+### Analyzing organizations and users
+
+Analyzing organizations and users is the main feature of Gitrob. The `analyze` command accepts an arbitrary amount of organization and user logins, which will be bundled into an assessment:
+
+    gitrob analyze acme,johndoe,janedoe
 
-Gitrob should be considered Beta and there is probably a good amount of bugs. Bug reports and suggestions for improvements are welcome!
+Mixing organizations and users is convenient if you know that a certain user is part of an organization but they do not have their membership public.
+
+When the assessment is finished, the `analyze` command will automatically start up the web server to present the results. This can be avoided by adding the `--no-server` option to the command.
+
+See `gitrob help analyze` for more options.
+
+### Running Gitrob against custom GitHub Enterprise installations
+
+Gitrob can analyze organizations and users on custom GitHub Enterprise installations instead of the official GitHub site. The `analyze` command takes several options to control this:
+
+    gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api --access-tokens=token1,token2
+
+See `gitrob help analyze` for more options.
+
+### Starting the Gitrob web server
+
+The Gitrob web server can be started with the `server` command:
+
+    gitrob server
+
+By default, the server will listen on [localhost:9393](http://localhost:9393). This can of course all be controlled:
+
+    gitrob server --bind-address=0.0.0.0 --port=8000
+
+See `gitrob help server` for more options.
+
+### Starting the web server
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. Run `bundle exec gitrob` to use the gem in this directory, ignoring other installed copies of this gem.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+## Contributing
 
-Another way to help out is to contribute new patterns for sensitive files. If you know of any sensitive files that are not already identified, please submit them in a pull request. I am especially interested in sensitive web framework files and configuration files. Have a look at the [patterns.json](https://github.com/michenriksen/gitrob/blob/master/patterns.json) file to see what is already looked for.
+Contributions are welcome! Read [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
 
-### How to make a pull request:
+## License
 
-1. Fork it ( https://github.com/michenriksen/gitrob/fork )
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create a new Pull Request
+Gitrob is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -1,2 +1,8 @@
 require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
 
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+task :default => [:spec, :rubocop]

data/bin/console

@@ -0,0 +1,34 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "awesome_print"
+require "gitrob"
+
+class QueryLogger < Logger
+  def format_message(_severity, _timestamp, _progname, msg)
+    "#{msg}\n".cyan
+  end
+end
+
+DB_MIGRATIONS_PATH   = File.expand_path("../../db/migrations", __FILE__)
+GITROB_CONFIGURATION = Gitrob::CLI::Commands::Configure.load_configuration!
+
+Sequel.extension :migration, :core_extensions
+DB = Sequel.connect(GITROB_CONFIGURATION["sql_connection_uri"])
+Sequel::Migrator.run(DB, DB_MIGRATIONS_PATH)
+Sequel::Model.db = DB
+Sequel::Model.plugin :validation_helpers, :timestamps
+
+require "gitrob/models/assessment"
+require "gitrob/models/github_access_token"
+require "gitrob/models/owner"
+require "gitrob/models/repository"
+require "gitrob/models/blob"
+require "gitrob/models/flag"
+require "gitrob/models/comparison"
+
+DB.logger = QueryLogger.new(STDOUT)
+
+require "irb"
+AwesomePrint.irb!
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/db/migrations/001_create_assessments.rb

@@ -0,0 +1,19 @@
+Sequel.migration do
+  change do
+    create_table(:assessments) do
+      primary_key :id
+      String :name
+      String :endpoint
+      String :site
+      Boolean :verify_ssl
+      Integer :owners_count, :default => 0
+      Integer :repositories_count, :default => 0
+      Integer :blobs_count, :default => 0
+      Integer :findings_count, :default => 0
+      Boolean :finished, :default => false, :index => true
+      Boolean :deleted, :default => false, :index => true
+      DateTime :updated_at
+      DateTime :created_at, :index => true
+    end
+  end
+end