Add audit script for gitstream-cm[bot] installation token activity

[ariel-linearb]

This script audits all GitHub audit log activity performed by the gitstream-cm[bot] GitHub App within a specified organization and time window. It queries the GitHub org-level audit log API, filtering for actions attributed to the gitstream bot actor, and collects all events including git operations (clone, fetch), workflow runs (created, completed), and any other actions recorded in the audit log.

The results are exported to a CSV file with key fields per event: timestamp, action type, target repository, token type, workflow conclusion, workflow run ID, and user agent.

NOTE: The script requires a GitHub PAT with admin:org and read:audit_log scopes.

✨ PR Description

Purpose: Add Python audit script to analyze gitstream-cm[bot] activity across GitHub organizations using Personal Access Token authentication and audit log API.

Main changes:

• Created CLI tool to fetch and filter bot audit log entries within configurable time window using GitHub API pagination
• Implemented CSV export with parsed fields including timestamp, action, repository, token type, and workflow details
• Added comprehensive logging with action counts, repository targeting stats, and chronological timeline output

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Description using Guidelines Learn how}

[orca-security-us]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	OSS Licenses	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

[linearb]

✨ PR Review

Agentic review
The gitstream bot audit script carries meaningful risk in three areas—hardcoded time windows requiring manual code edits, falsy-zero timestamp logic that silently picks wrong dates, and credential exposure in process lists—and needs a pass before merge.

3 issues detected:

🧹 Maintainability - Hardcoded Time Window Requires Code Edit Per Run

Details: Lines 22–23 hardcode TIME_FROM and TIME_TO to fixed dates (2026-03-30 and 2026-04-04), requiring code edits every time you need to audit a different time window. Since the script is designed for repeated audits over varying periods, add CLI arguments or environment variables to make the time window configurable without modifying source code.
File: installation_audit.py (22-23)

🐞 Bug - Falsy Integer 0 Causes Wrong Timestamp Fallback

Details: At line 73 in installation_audit.py, using entry.get("@timestamp") or entry.get("created_at", 0) incorrectly treats a falsy @timestamp of 0 as missing. If @timestamp equals 0 (Unix epoch), the code falls back to created_at, and if that's also absent, ts becomes 0, causing parse_ts to return 1970-01-01 UTC. This triggers an early pagination exit, silently dropping all remaining audit events in the requested time window. Use explicit None checks like entry.get("@timestamp") if entry.get("@timestamp") is not None else entry.get("created_at", 0) to preserve valid falsy timestamps.
File: installation_audit.py (73-73)

🔒 Security - PAT Token Exposed in Process List and Shell History

Details: The GitHub PAT is passed as a plain-text CLI argument at line 114, making it visible to all users via ps aux during execution and permanently storing it in shell history files like ~/.bash_history. This exposes a credential with admin:org and read:audit_log scopes, granting broad organizational access. Use environment variables or secure credential managers instead of command-line arguments to prevent this leak.
File: installation_audit.py (114-114)

Generated by LinearB AI and added by gitStream.
_{AI-generated content may contain inaccuracies. Please verify before using.
💡 Tip: You can customize your AI Review using Guidelines Learn how}