Google and the Open Source Security Foundation (OpenSSF) have released Allstar, an app that allows organizations / owners of GitHub repositories to set up security policy expectations for GitHub projects and to make sure that these policies are adhered to.
When the app detects a repository is out of compliance, it can take one of three enforcement actions (chosen by the organization/owner):
- Log the failure (and do nothing else)
- Open a GitHub issue
- Automatically correct the violation (i.e., return the repository policy setting to the previous state)
About GitHub Allstar
“Allstar works by continuously checking expected GitHub API states and repository file contents (repository settings, branch settings, workflow settings) against defined security policies and applying enforcement actions (filing issues, changing the settings) when expected states do not match the policies,” OpenSSF’s John Mertic explained.
“The continuous nature of the enforcement protects against stealthy attacks that human enforcement might not notice: Allstar will detect and respond to a policy violation if someone, for example, temporarily disables branch protections in order to commit a malicious change before reenabling the protections.”
Initial security policy checks / enforcements include:
- Branch protection (against unapproved pull requests, forced pushes, etc.)
- The presence of the SECURITY.md file, containing a defined policy for responsible vulnerability disclosure
- Enforcement of specific requirements for outside collaborators (e.g., that users with admin privileges on a repository must be members of the owning organization)
- Detection and alerts if binary artifacts are found in the repository
Future ones will be able to ensure that automatic dependency updates via Dependabot or Renovate are enabled on one’s repository, and that compromised dependency releases can’t be automatically incorporated into the project.
GitHub Allstar and Security Scorecards
Allstar works in concert with Security Scorecards, a helpful automated tool that checks things like whether the project uses tools to automatically update its dependencies, does it require code review before code is merged, does it cryptographically sign releases, does it have unfixed vulnerabilities, and so on, and calculates a score that indicates the current security posture of the project.
“Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there,” Mertic concluded.