Nightfall Radar is a powerful tool for exploring your GitHub repositories and ensuring they are free of potentially sensitive credentials and secrets. The Radar user interface supports scanning a single repository at a time. However by leveraging the Radar API and a simple bash script you can quickly and easily initiate scans of all your organization's GitHub repos using a single command.

To do this you will need a GitHub personal access token, an active Nightfall Radar API key, and access to the organization whose repos you wish to scan.

Create a new file in your working directory and copy the following code into that file replacing authorization tokens with those for your account. You may name the file anything you wish, but it will be referred to here as org_scanner

$ touch org_scanner

Copy this code into the new file, replacing credentials where appropriate.
Note: If you do choose to save this script as a file, please ensure that it is included in your .gitignore file if applicable as it contains potentially sensitive credentials for both GitHub and Radar. You can read more about .gitignore files here


for i in `curl -s -u <github_user>:<personal_access_token> \<org_name>/repos \
   | jq -r '.[].clone_url'`
do curl \
-u <radar_api_key>: -d github_url=$i

Run the following line in your terminal to grant permission to the new org_scanner script to run.

$ chmod +x ./org_scanner

Now, you can run the script from your command line simply by invoking its name.

$ ./org_scanner

If successful, you should see a response in your command line for each scanned repository like so:

  "status": "Running",
  "message": "Scan is running. You will be notified via email ( when scan is complete. You can view the scan results via the provided Scan ID when complete. You can also configure a Webhook endpoint to be programmatically notified when the scan is complete. See API Docs:",
  "scan_id": "221b46ab-2536-4c59-245f-ea72684ca17c"

On successful completion of the scan(s), the results may be viewed in your dashboard at or obtained via our API as laid out in the documentation here

Did this answer your question?