Unfortunately, it leaves a lot to be desired. I've actually had to do a fair bit of GH access reporting myself recently and I can recommend the GraphQL API as it allows you to properly list direct and indirect permissions on repositories (org + team + direct collaborator) that are alot harder to do with the REST API due to its inconsistent permissions model.
Why audit when you can declare all of this in Terraform? <a href="https://registry.terraform.io/providers/integrations/github/latest/docs" rel="nofollow">https://registry.terraform.io/providers/integrations/github/...</a>
Awesome! I built something like this for $JOB-1 too. Unfortunately didn't get to open source this before I left.<p>I built in an a mechanism for policy checks too, e.g. to check that only an allowed list of repositories was public, and that permissions were only assigned through teams.