[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-79185":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":22,"hasPages":22,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":25,"readmeContent":26,"aiSummary":27,"trendingCount":15,"starSnapshotCount":15,"syncStatus":28,"lastSyncTime":29,"discoverSource":30},79185,"moat","laravel\u002Fmoat","laravel","Moat reviews the security posture of your GitHub organization and repositories, then surfaces recommendations to consider.","",null,"Rust",318,11,1,0,10,40,241,35,93.24,"MIT License",false,"0.x",[],"2026-06-12 04:01:24","\u003Cp align=\"center\">\n    \u003Cimg src=\".\u002Fart\u002Flogo.svg\" alt=\"Logo Laravel Moat\" width=\"50%\">\n    \u003Cimg src=\".\u002Fart\u002Fdemo.png\" alt=\"Example Laravel Moat\" width=\"800\">\n    \u003Cp align=\"center\">\n        \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\u002Factions\">\u003Cimg alt=\"GitHub Workflow Status (main)\" src=\"https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\u002Factions\u002Fworkflows\u002Fci.yml\u002Fbadge.svg\">\u003C\u002Fa>\n        \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\u002Freleases\">\u003Cimg alt=\"Latest Version\" src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Flaravel\u002Fmoat\">\u003C\u002Fa>\n        \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\u002Fblob\u002F1.x\u002FLICENSE\">\u003Cimg alt=\"License\" src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flicense\u002Flaravel\u002Fmoat\">\u003C\u002Fa>\n    \u003C\u002Fp>\n\u003C\u002Fp>\n\n## Introduction\n\n**Moat** reviews the security posture of your **GitHub organization** and **repositories**, then surfaces recommendations to consider. It inspects the security controls GitHub already offers — 2FA enforcement, branch protection, signed commits, secret scanning, Dependabot alerts, workflow permissions, pinned actions, repository webhooks, and more — and reports which ones are not enabled or not configured in line with common recommendations.\n\nMoat covers checks across **two-factor authentication**, **branch protection**, **signed commits**, **secret scanning**, **Dependabot alerts**, **workflow permissions**, **pinned actions**, **repository webhooks**, and others.\n\n> **What Moat is — and what it is not.** Moat is a read-only review tool. It does **not** modify any settings, harden your repositories, prevent intrusions, or remediate compromises. It surfaces **suggestions** based on GitHub's own security settings; it is your responsibility to evaluate each one in the context of your project and decide whether to apply it. A clean Moat report does not certify that an account is secure, nor does a failing report mean it has been compromised.\n\n## Installation\n\n> **Works with any GitHub organization, user, or repository.** A `GITHUB_TOKEN`, `GH_TOKEN`, or [GitHub CLI](https:\u002F\u002Fcli.github.com) login is required.\n\n### Homebrew (macOS \u002F Linux)\n\n```bash\nbrew tap laravel\u002Fmoat https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\nbrew install laravel\u002Fmoat\u002Fmoat\n```\n\n### Prebuilt binaries\n\nDownload the archive for your platform from the [releases page](https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\u002Freleases) and place `moat` on your `PATH`.\n\n## Usage\n\n```bash\nmoat \u003Caccount>\n```\n\n`\u003Caccount>` can be a GitHub organization, a user, or an `\u003Cowner>\u002F\u003Crepo>` slug.\n\n```bash\nmoat \u003Cyour-org>\nmoat \u003Cowner>\u002F\u003Crepo>\n```\n\n### Options\n\n- `-v`, `--verbose` — display all collaborators and members instead of truncating the list.\n- `--theme \u003Cauto|dark|light>` — color theme. Defaults to `auto`, which detects the terminal background via `COLORFGBG`.\n- `-h`, `--help` — print help.\n- `-V`, `--version` — print version.\n\n## Authentication\n\n`moat` resolves a GitHub token in this order:\n\n1. `GITHUB_TOKEN` environment variable\n2. `GH_TOKEN` environment variable\n3. `gh auth token` (if the [GitHub CLI](https:\u002F\u002Fcli.github.com) is installed and logged in)\n\nFor organization audits the token needs:\n\n- `admin:org` — list members, admins, outside collaborators, 2FA enforcement, and read org-level Actions policies\n- `repo` — read branch protection, required reviews, secret scanning, Dependabot alerts, repository contents (`SECURITY.md`), and repository webhooks\n- `workflow` — read `.github\u002Fworkflows\u002F*` files to detect unpinned actions, `pull_request_target` misuse, and overly permissive `permissions:` blocks\n\nA classic PAT with these scopes works. For user accounts, only `repo` and `workflow` are required.\n\n**Important: If you create a personal access token to run Moat, revoke it as soon as you're done.** Visit [github.com\u002Fsettings\u002Ftokens](https:\u002F\u002Fgithub.com\u002Fsettings\u002Ftokens) and delete the token after your review. Tokens that linger on disk or in shell history are themselves a security risk — Moat only needs access for the duration of the run.\n\n## Checks\n\nEach entry below describes a security setting Moat looks at, along with the reasoning behind the suggestion. The text explains the risk that the setting helps mitigate — it does not imply that enabling the setting alone is sufficient to defend against the threat, nor that leaving it disabled means an account is compromised.\n\n### `organization_requires_two_factor`\n\nStolen passwords are the entry point of most maintainer-account compromises; enforcing 2FA org-wide raises the cost of a takeover from a phishing email to a physical device.\n\n### `organization_members_all_have_two_factor`\n\nThe org-wide 2FA policy only covers members enrolled after it was turned on; anyone predating it remains the weakest unlocked door into the org.\n\n### `organization_new_members_default_to_no_permissions`\n\nThis setting decides the blast radius of a single compromised account; with write or admin as the default, one stolen session can push to every repo at once instead of just the ones that member legitimately touches.\n\n### `repositories_actions_workflow_token_is_read_only`\n\nEvery workflow inherits this token by default; granting write at the org or repo level means a typo'd action reference or a hijacked third-party action can rewrite history, tags, and releases without ever needing a maintainer's credentials.\n\n### `repositories_secret_scanning_is_enabled`\n\nSecrets accidentally committed stay valid until someone notices; scanning gives you minutes-to-hours warning instead of waiting for a leaked-credential abuse alert from a downstream provider.\n\n### `repositories_secret_push_protection_is_enabled`\n\nScanning finds secrets after they reach GitHub; push protection rejects them at the git layer so the credential never enters history, forks, mirrors, or backups in the first place.\n\n### `repositories_dependabot_alerts_are_enabled`\n\nMost package compromises are disclosed publicly before they are widely exploited; alerts tell you which of your repos consume the bad version so you can pin or patch within the window before mass scanning catches up.\n\n### `repositories_dependabot_security_updates_are_enabled`\n\nAlerts only tell you a vulnerable dependency is in use; security updates are what actually open the PR that bumps it. Without them, an alert sits in the dashboard until someone notices, and the window before mass scanning catches up is exactly the window you wanted to close.\n\n### `repositories_releases_are_immutable`\n\nWithout immutability, an existing tag can be moved or its assets replaced after the fact; downstream consumers pinned to a version they audited will silently fetch different bytes the next time they install.\n\n### `repositories_fork_pull_requests_require_approval`\n\nA fork PR can ship malicious workflow changes that run with your runners' filesystem and network access on the first push; approval gating lets a human read the diff before code from a stranger executes.\n\n### `repositories_commits_are_signed`\n\nA stolen developer token can push commits authored as anyone; requiring a verified signature ties each commit to a key the attacker doesn't have, turning a leaked token from a code-push into a noisy failure.\n\n### `repositories_pull_requests_require_reviews`\n\nWithout required reviews, a single compromised contributor account can push directly to a release branch — peer review is the cheapest mechanism that catches malicious patches before they ship.\n\n### `repositories_release_branches_are_locked`\n\nForce pushes and branch deletions rewrite history — an attacker (or a tired maintainer) can erase the audit trail of a malicious commit or quietly replace a tagged release with a different tree.\n\n### `repositories_release_branches_have_linear_history`\n\nMerge commits can hide unreviewed parents — a `git merge` of an unprotected side branch can introduce code that no reviewer ever saw, while still appearing as a normal merge in the PR.\n\n### `repositories_webhooks_are_secure`\n\nPlain-HTTP hooks leak payloads (and any secrets inside them) to any network on the path, and a hook without a shared secret has no way to prove the request actually came from GitHub.\n\n### `repositories_have_no_direct_collaborators`\n\nDirect collaborators bypass org-level team membership audits and outlive role changes; access reviews miss them, so a long-departed contributor can keep push rights indefinitely.\n\n### `repositories_private_vulnerability_reporting_is_enabled`\n\nWithout a private intake, researchers either drop a public issue (advertising the bug before it's fixed) or give up; the private channel lets you triage and ship a patched release before exploitation.\n\n### `repositories_workflow_actions_are_pinned`\n\nTags and branches are mutable — when `tj-actions\u002Fchanged-files` was compromised in 2025, the attacker repointed the existing tags, so every workflow `@v1` instantly ran malicious code; SHA pins make that impossible.\n\n### `repositories_pull_request_target_is_safe`\n\n`pull_request_target` runs with the base repo's secrets and write token; if the workflow then checks out the PR's code, any fork PR executes attacker-controlled code with full repo privileges.\n\n### `repositories_workflow_permissions_are_restricted`\n\nWithout a declared `permissions:` block (or with `write-all`), every step in the workflow — including third-party actions — runs with full repo write access, turning any compromised action into a code-push primitive.\n\n### `repositories_have_security_policy`\n\nWithout a disclosure channel, well-meaning researchers file public issues with full PoCs — `SECURITY.md` is what funnels them to a private channel before the world sees the bug.\n\n### `repositories_have_dependabot_config`\n\nPinning actions to SHAs is only safe if something keeps them up to date; without Dependabot the pins rot and either get bumped to a tag (defeating the pin) or stay stuck on a known-vulnerable revision.\n\n## Configuration\n\n`moat` looks for a `moat.toml` file at the root of each audited repository. Use it to disable checks that don't apply to that repo. Disabled checks render as `SKIPPED` in the output and don't count toward the failure total.\n\n```toml\n[checks]\nrepositories_commits_are_signed = \"off\"\nrepositories_workflow_actions_are_pinned = \"off\"\n```\n\nValues are `\"on\"` (default) or `\"off\"`. Use any check ID from the [Checks](#checks) section above.\n\nYou can also declare additional release branches that should be treated as protected alongside the default branch and any branches matching the built-in release patterns:\n\n```toml\nrelease_branches = [\"0.x\", \"1.x\"]\n```\n\n## Checks skipped on GitHub Free\n\n- **GitHub Free plan on private repos.** Several checks rely on features that aren't available on Free for private repositories, so they skip with `N\u002FA (plan)`:\n  - `repositories_commits_are_signed`\n  - `repositories_pull_requests_require_reviews`\n  - `repositories_release_branches_are_locked`\n  - `repositories_release_branches_have_linear_history`\n  - `repositories_secret_scanning_is_enabled`\n  - `repositories_secret_push_protection_is_enabled`\n\n## Contributing\n\nThank you for considering contributing to Moat! The contribution guide can be found in the [Laravel documentation](https:\u002F\u002Flaravel.com\u002Fdocs\u002Fcontributions).\n\n## Code of Conduct\n\nIn order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https:\u002F\u002Flaravel.com\u002Fdocs\u002Fcontributions#code-of-conduct).\n\n## Security Vulnerabilities\n\nPlease review [our security policy](https:\u002F\u002Fgithub.com\u002Flaravel\u002Fmoat\u002Fsecurity\u002Fpolicy) on how to report security vulnerabilities.\n\n## License\n\nMoat is open-sourced software licensed under the [MIT license](LICENSE).\n","Laravel Moat 是一个用于审查 GitHub 组织和仓库安全状况的工具，并提供改进建议。它主要检查包括双因素认证、分支保护、签名提交、密钥扫描、Dependabot 警报、工作流权限、固定操作和仓库 Webhook 等在内的多种安全设置，确保这些设置符合最佳实践。该工具以 Rust 语言编写，仅作为只读审查工具使用，不会修改任何设置或直接加固仓库。适用于需要定期评估并提升其 GitHub 项目安全性的情况，帮助开发者识别潜在的安全风险点，从而采取适当的措施加强防护。",2,"2026-06-11 03:57:35","CREATED_QUERY"]