In VCS mode, the tool will use your personal access token (see Authentication) to connect to the VCS and obtain real-time commit data. This is the most accurate and comprehensive mode, and we recommend using it as a first choice. The tool supports the same systems as Prisma Cloud Code Security:
- GitHub and GitHub enterprise server
- Bitbucket and Bitbucket server
- GitLab and GitLab server
- Azure DevOps (Azure Repos)
You can select repos to count in multiple ways. The tool understands the different grouping structures within each VCS. For example, GitHub has a flat structure, where organizations or users are at the top level and repos are within an org / user, while GitLab allows you to create groups and subgroups, and create repos within any level of the group hierarchy. The tool provides VCS-specific options to allow you to count repos in as fine-grained a way as possible.
Note that different VCSes use different terms for these concepts:
| VCS | Structure |
|---|---|
| GitHub.com and GitHub server | Organization -> Repository |
| Bitbucket.org | Workspace -> Repository |
| Bitbucket server | Project -> Repository |
| GitLab.com and GitLab server | Group [-> subgroup -> subsubgroup ...] -> Project (AKA repository) |
| Azure DevOps | Organization -> Project -> Repository |
The tool accepts VCS-native arguments (e.g., --orgs for GitHub, --workspaces for bitbucket.org). In some cases, we may use more general terms in a VCS agnostic way. For example, if you see the term "organization" in these docs, it may refer to Bitbucket workspaces, which are conceptually identical for the purposes of this tool.
Generally, for each VCS, you can provide a list of orgs / workspaces / groups as well as a list of repos, and you can also skip individual repos within those. If the VCS supports repos tied to a user (not an org), you can also provide a username in place of the org name.
In general, you can also provide none of these arguments (e.g., no --orgs, no --repos) to make the tool fetch as many repos as it can using the provided token, and count all of them. This is similar to the list if repos you would see in the Prisma Cloud platform while configuring a new VCS integration. However, due to some of the differences between personal access tokens and the oauth tokens used by the platform, this list may not match exactly, and in some cases may not be possible to retrieve at all. We recommend at least specifying --orgs, --workspaces, etc. See the VCS-specific help text for more details.
See the examples below for more details.
For repositories to include / skip (and for projects, for Azure DevOps), you can also specify the list in a file, which may be easier when working with large numbers of repos and when you cannot specify organizations for some reason.
By default, this tool will exclude any public repo, same as the Prisma Cloud platform. You can override this behavior with the --include-public flag if you wish to include these for any reason. Note that some VCSes have an "internal" visibility, which is between public and private. These are considered private repos for the purpose of counting contributors.
In the examples below, note that we are not worrying about the public / private repo distinction, unless noted. Just remember that by default, public repos will be excluded. Some arguments, like --token, are omitted for brevity.
Note that the order in which you specify these options does not matter. The tool will collect all matching repos and then subtract all matching "skip" repos.
Two GitHub orgs
redshirts github --orgs mygithuborg,anotherorg
Two GitHub orgs, including public repos
redshirts github --orgs mygithuborg,anotherorg --include-public
One Bitbucket workspace plus two other repos
redshirts bitbucket --workspaces myworkspace --repos user1/repo1,anotherworkspace/anotherepo
One GitLab group and all its subgroups
redshirts gitlab --groups somegroup
Two GitLab subgroups (and their subgroups) of a GitLab group
redshirts gitlab --groups somegroup/subgroup1,somegroup/subgroup2
One GitLab group and all its subgroups, except for one repo
redshirts gitlab --groups somegroup --skip-repos somegroup/repo1
One Bitbucket workspace, except one repo, plus one other repo
redshirts bitbucket --workspaces myworkspace --repos user1/repo1 --skip-repo myworkspace/repo-to-skip
One Azure DevOps org, plus one project from another org
redshirts azuredevops --orgs myorg --projects anotherorg/project1
One Azure DevOps org, plus one project from another org, plus one repo from another project, and skip some repos
redshirts azuredevops --orgs myorg --projects anotherorg/project1 --repos anotherorg/project2/repo2 --skip-repos myorg/project1/repo-to-skip,anotherorg/project1/repo-to-skip
One Azure DevOps org, but skip one project within that org, but include one repo within that project
This is not possible directly, because of the logic described above - we will collect all the repos first, and then subtract all the "skip" repos. To accomplish this, you can more granularly specify what to include:
redshirts azuredevops --repos myorg/project-to-skip/repo-to-include --projects myorg/project2,myorg/project3,myorg/project4
This tool requires a personal access token for your respective VCS. Different VCSes have different names for the same concept, and the specific capabilities of these tokens vary by VCS. Generally these tokens require read access to organization, user, and repo data. The exact granularity of access that you can grant varies by VCS. See the VCS-specific help text below for more information.
Every VCS requires a token, which you can pass via the --token argument or the environment variable REDSHIRTS_TOKEN. Some VCSes may require additional parameters (e.g., a username).
If you are behind a corporate VPN, this tool may not be able to reach the VCS APIs. If you encounter SSL-related errors in the output of a command, you will likely either need to disable your VPN or private the certificate chain for the VCS. See this page for different options to obtain the certificate chain file (.pem file) to use with the --ca-cert option. Note that the VCS API hostname may differ from the hostname you normally use in a browser:
| VCS | API hostname for cert chain |
|---|---|
| github.com | api.github.com |
| bitbucket.org | api.bitbucket.org |
| gitlab.com | gitlab.com |
| Azure DevOps | dev.azure.com |
For any server / self-hosted versions, the API hostname is the same as the server hostname.
This tool will attempt to work within the rate limits of the VCS. The exact rate limiting mechanism differs by VCS, and in some cases the tool cannot perfectly avoid hitting a rate limit. The tool will respond to being rate limited by pausing or backing off, and continuing later.
See advanced for more information on rate limiting.
To connect to a self-hosted or on-prem VCS, you must provide the hostname of your server, and optionally the protocol and port for any non-standard values. Specifically, you must specify if the protocol is HTTP and if the port is not 443 for HTTPS or 80 for HTTP.
Here are some examples of different arguments you can provide and the resulting server URL:
| Arguments | Server URL |
|---|---|
--host git.mycompany.com |
https://git.mycompany.com (HTTPS is default; port 443 is implicit) |
--host git.mycompany.com --protocol http |
http://git.mycompany.com (port 80 is implicit) |
--host git.mycompany.com --port 9999 |
https://git.mycompany.com:9999 |
--host git.mycompany.com --protocol http --port 9999 |
http://git.mycompany.com:9999 |