Google recently announced Allstar, a GitHub app that enables continuous enforcement of security policies for a given organization or project repository. Allstar is Google’s contribution towards improving Open Source Software (OSS) security.
Mike Maraya, senior program manager - Security, and Jeff Mendoza, information security engineer at Google, co-authored this announcement on the Open Source Security Foundation (OpenSSF) blog. For a given organization or project repository, Allstar enables setting security enforcement actions. The repository owners can then apply continuous validation of these enforcements so that the required enforcements are executed whenever any change is triggered in the repository.
Based on the defined security rules, Allstar continuously checks for GitHub API states and repository file contents. Whenever there is a mismatch with the defined policies, Allstar applies enforcement actions, which results in filing an issue or changing the settings with the repository. There is an Allstar instance with OpenSSF which can be installed and used by anyone. Also, one can build and run their own Allstar instance.
Source: https://openssf.org/blog/2021/08/11/introducing-the-allstar-github-app/
Used along with Security Scorecards, Allstar allows repository maintainers to choose automated enforcement for specific security checks. Scorecards currently support 18 important heuristics, so that the maintainers can identify specific areas to improve thereby strengthening the overall security posture.
Currently, the below user-defined enforcement actions are available:
- Open a GitHub issue
- Log the security policy adherence failure with no additional action
- Revert the modified GitHub policy setting to match the original Allstar configuration
When it comes to enforcement, the below security policies are available:
- Branch Protection: to set requirements before a collaborator pushes a change to a branch in a given repository
- Security Policy: to enforce the presence of a security policy file
- Outside Collaborator Administrators: prohibiting push access for outside collaborator, this policy enforces a requirement that only the internal (organization) users can have the administrator privileges
- Binary Artifacts: this policy detects the presence of binary artifacts in a repository and alerts the user if found
While limited in number, additional policies are planned in near future. Some of the additional enforcements in the future include Automatic Dependency Update via Dependabot or Renovate, along with detecting the presence of language-specific dependency.
While in the early stages of its development, interested readers can get started with Allstar here and provide feedback. The issues can be submitted here or the changes can be requested via pull requests here. Also, Allstar is already filing and closing security issues with Envoy and GoogleContainerTools.