A comprehensive GitHub organization compliance and configuration management tool that automates the enforcement of branch protection rules, configuration files, and compliance standards across multiple repositories.
GitHub MCD (Mandatory Compliance Deployment) is designed to help organizations maintain consistent policies, security standards, and best practices across all GitHub repositories. It automates:
- Branch Protection: Enforces branch protection rules on default branches
- Configuration Management: Deploys and maintains required configuration files (APM.yaml, AI.yaml, Whitesource)
- Compliance Reporting: Generates detailed compliance reports with scoring
- Team Management: Supports organization-wide and team-specific enforcement
- Webhooks: Manages GitHub webhook configurations
- Dry-Run Mode: Preview changes before applying them
- β YAML-based Configuration: Simple YAML configs for organization-wide policies
- β Multi-Repository Support: Target single repos or entire organizations
- β Team-Based Deployment: Deploy configs to specific team repositories
- β Dry-Run Mode: Preview all changes before executing
- β Compliance Scoring: Automatic compliance calculations with status reporting
- β JSON & PDF Reports: Generate detailed compliance reports in multiple formats
- β Centralized GitHub Client: Efficient API handling
- β Comprehensive Logging: Detailed activity logs for audit trails
- Python 3.8+
- GitHub Personal Access Token with repo and admin permissions
PyGithub==2.5.0 # GitHub API client
PyYAML==6.0.2 # YAML configuration parsing
python-dotenv==1.0.1 # Environment variable management
jinja2==3.1.6 # Template rendering
reportlab==3.6.13 # PDF report generation
git clone <repository-url>
cd "GitHub MCD"python3 -m venv .venv
source .venv/bin/activate # On macOS/Linux
# or
.venv\Scripts\activate # On Windowspip install -r requirements.txtCopy .env.example and configure it with your credentials:
cp .env.example .envEdit .env with your GitHub credentials:
ENFORCER_TOKEN=your_github_personal_access_token
WEBHOOK_SECRET=your_webhook_secret_key- ENFORCER_TOKEN: GitHub Personal Access Token with repo and admin permissions
- WEBHOOK_SECRET: Secret key for validating incoming webhooks
The main configuration file controls organization-wide policies:
organization: your-org-name
target_repos:
- repo-name-1
- repo-name-2
required_files:
- path: .github/APM.yaml
template: APM.yaml
commit_message: "Add APM configuration [MCD Enforcer]"
- path: .github/AI.yaml
template: AI.yaml
commit_message: "Add AI guidelines [MCD Enforcer]"
branch_protection:
enabled: true
branch: main
required_approving_review_count: 1
require_code_owner_reviews: true
dismiss_stale_reviews: true
enforce_admins: true
required_status_checks:
strict: true
contexts:
- "ci/build"
- "security/scan"Configure team-specific repository assignments:
teams:
- name: backend
repos:
- backend-api
- backend-services
- name: frontend
repos:
- frontend-app
- frontend-sharedTemplate files (*.yaml) are deployed to repositories as required files. Examples:
APM.yaml- Application Performance Monitoring configurationAI.yaml- AI guidelines and policies.whitesource- Security scanning configuration
Validate your configuration files:
python -m scripts.test_configpython -m scripts.test_reposApply branch protection rules:
# Dry-run (preview changes)
python -m scripts.branch_protection --dry-run
# Apply changes
python -m scripts.branch_protection --applyDeploy required configuration files to repositories:
# Dry-run
python -m scripts.config_files --dry-run
# Apply changes
python -m scripts.config_files --applyConfigure GitHub webhooks:
python -m scripts.webhooks --config config/webhook_mappings.yamlCreate compliance report and scoring:
βββ requirements.txt # Python dependencies
βββ .env # Environment variables (git-ignored)
βββ .env.example # Environment variables template
βββ .gitignore # Git ignore rules
β
βββ config/
β βββ global.yaml # Main organization configuration
β βββ teams.yaml # Team-specific repo assignments
β βββ webhook_mappings.yaml # Webhook event configurations
β
βββ templates/
β βββ APM.yaml # APM configuration template
β βββ AI.yaml # AI guidelines template
β βββ .whitesource # Security scanning template
β
βββ scripts/
β βββ __init__.py
β βββ github_client.py # Centralized GitHub API client
β βββ config_loader.py # Configuration file loading
β βββ get_repos.py # Repository retrieval logic
β βββ branch_protection.py # Branch protection enforcement
β βββ config_files.py # Configuration file deployment
β βββ environments.py # Environment management
β βββ reporting.py # Compliance report generation
β βββ webhooks.py # Webhook management
β βββ test_config.py # Config validation testing
β βββ test_repos.py # Repository access testing
β
βββ reports/
βββ compliance-report-*.json # Generated compliance reportsCentralized GitHub API client with optimized authentication and rate limiting.
Loads and validates YAML configuration files with environment variable support.
Retrieves repositories based on organization, team, or individual repo filters.
Enforces branch protection rules according to configuration with dry-run support.
Deploys and maintains required configuration files across repositories.
Generates compliance reports with scoring (0-100 scale) and status classification.
Manages GitHub webhook event subscriptions and configurations.
Reports are automatically generated in the reports/ directory with:
- Compliance Score: 0-100 scale
- Status: Compliant, Partially Compliant, Non-Compliant
- Repository Details: Status for each repository
- Change Summary: All enforcement actions taken
- Timestamps: ISO 8601 formatted report generation time
Output formats:
- JSON: Machine-readable compliance data
- PDF: Human-readable report document
- β Use dry-run mode to preview changes before applying
- β Review branch protection settings for your security requirements
- β Audit webhook configurations regularly
- β Keep token scope minimal (repo + admin for branch protection)
- β
Store
WEBHOOK_SECRETsecurely and use it to validate webhook payloadsssions
# Verify GITHUB_TOKEN is set correctly
echo $GITHUB_TOKEN# Test config loading
python -m scripts.test_config# Check repository list and permissions
python -m scripts.test_repos- GitHub API has rate limits (60 req/hour unauthenticated, 5000/hour authenticated)
- Implement backoff strategies for large organizations
- Consider using GitHub App tokens for higher limits
Enable detailed logging to troubleshoot issues:
import logging
logging.basicConfig(level=logging.DEBUG)All operations are logged with timestamps for audit trails and debugging.
When modifying scripts:
- Test configuration with
test_config.py - Test repositories with
test_repos.py - Always use
--dry-runmode first - Update documentation for new features
- Maintain consistent code style with existing scripts
This project is open source and available under the MIT License.
Video Demo: https://drive.google.com/file/d/1gngVN9cr3GEAcvqyJCNCW0soaPgJjsUd/view?usp=sharing
For issues or questions:
- Check the troubleshooting section above
- Review configuration files for correctness
- Check GitHub API documentation: https://docs.github.com/en/rest
- Review PyGithub documentation: https://pypi.org/project/PyGithub/
Last Updated: March 2026
Version: 1.0.0