AI SummaryAnalyzes git repositories to map security ownership, identify bus factors, and detect orphaned sensitive code, exporting results for graph visualization. Essential for security teams and DevOps engineers managing code risk and maintainer dependencies.
Install
# Add to your project root as SKILL.md curl -o SKILL.md "https://raw.githubusercontent.com/openai/skills/main/skills/.curated/security-ownership-map/SKILL.md"
Description
Analyze git repositories to build a security ownership topology (people-to-file), compute bus factor and sensitive-code ownership, and export CSV/JSON for graph databases and visualization. Trigger only when the user explicitly wants a security-oriented ownership or bus-factor analysis grounded in git history (for example: orphaned sensitive code, security maintainers, CODEOWNERS reality checks for risk, sensitive hotspots, or ownership clusters). Do not trigger for general maintainer lists or non-security ownership questions.
Overview
Build a bipartite graph of people and files from git history, then compute ownership risk and export graph artifacts for Neo4j/Gephi. Also build a file co-change graph (Jaccard similarity on shared commits) to cluster files by how they move together while ignoring large, noisy commits.
Requirements
• Python 3 • networkx (required; community detection is enabled by default) Install with: `bash pip install networkx `
Workflow
• Scope the repo and time window (optional --since/--until). • Decide sensitivity rules (use defaults or provide a CSV config). • Build the ownership map with scripts/run_ownership_map.py (co-change graph is on by default; use --cochange-max-files to ignore supernode commits). • Communities are computed by default; graphml output is optional (--graphml). • Query the outputs with scripts/query_ownership.py for bounded JSON slices. • Persist and visualize (see references/neo4j-import.md). By default, the co-change graph ignores common “glue” files (lockfiles, .github/*, editor config) so clusters reflect actual code movement instead of shared infra edits. Override with --cochange-exclude or --no-default-cochange-excludes. Dependabot commits are excluded by default; override with --no-default-author-excludes or add patterns via --author-exclude-regex. If you want to exclude Linux build glue like Kbuild from co-change clustering, pass: `bash python skills/skills/security-ownership-map/scripts/run_ownership_map.py \ --repo /path/to/linux \ --out ownership-map-out \ --cochange-exclude "**/Kbuild" `
Quick start
Run from the repo root: `bash python skills/skills/security-ownership-map/scripts/run_ownership_map.py \ --repo . \ --out ownership-map-out \ --since "12 months ago" \ --emit-commits ` Defaults: author identity, author date, and merge commits excluded. Use --identity committer, --date-field committer, or --include-merges if needed. Example (override co-change excludes): `bash python skills/skills/security-ownership-map/scripts/run_ownership_map.py \ --repo . \ --out ownership-map-out \ --cochange-exclude "**/Cargo.lock" \ --cochange-exclude "/.github/" \ --no-default-cochange-excludes ` Communities are computed by default. To disable: `bash python skills/skills/security-ownership-map/scripts/run_ownership_map.py \ --repo . \ --out ownership-map-out \ --no-communities `
Quality Score
Good
85/100
Trust & Transparency
No License Detected
Review source code before installing
Verified Open Source
Hosted on GitHub — publicly auditable
Actively Maintained
Last commit Today
10.2k stars — Strong Community
569 forks