GitHub and Google recently announced the launch of Allstar, an app that provides automated continuous enforcement of security best practices for GitHub projects. Allstar, created by Google and the Open Source Security Foundation (OpenSSF), can check for security policy adherence, set enforcement actions, and enact those enforcements when triggered by a setting or file change in a repository. It is said to help open source community reduce security risk.
Allstar is a companion to Security Scorecards, a tool released that assesses risk to a repository and its dependencies. While Scorecards checks important heuristics like whether the project uses branch protection, cryptographically signs release artifacts, or requires code review, Allstar allows maintainers to opt into automated enforcement of specific checks. If repository fails a particular check that you enable, Allstar intervenes to make the necessary changes to remediate the issue, avoiding the extra effort of regular manual fixes.
“In short, Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there,” reads a company blog.
Open source projects are often vulnerable to security risks largely. Allstar is said to work continuously checking expected GitHub API states like repository settings, branch settings against security policies and applying enforcement actions. On detecting a vulnerability, it puts enforcement actions in place, such as filing issues and changing the project settings. For example, Allstar will spot and respond to policy violation if a developer temporarily disables branch protections to commit a malicious change before reenabling the protections.
Currently the Allstar is equipped with limited number of security policy checks. OpenSSF is planning to build additional policies like frozen dependencies and automatic dependency updates shortly. At launch, Allstar’s branch protection sets requirements before collaborators can push changes to a branch in a repository; enforce security policy; require that users with admin privileges on a repository be members of the owning organisation; and detect and alert “binary artifacts.”
Allstar lets developers pick enforcement actions including Log the security policy adherence failure with no additional action, Open a GitHub issue and Revert the modified GitHub policy setting to match the original Allstar configuration. OpenSSF runs an Allstar instance that anyone can install and use, but developers can create and run their own instance for security or further customisation.
“Allstar is still in the early stages of development, so we welcome adoption and community feedback. We look forward to rolling out more enforcements; in the meanwhile, taking simple steps like enforcing code review and setting branch protections can make a significant difference in protecting against supply-chain attacks. Taking these fundamental actions together can help raise the bar for security standards in open source software,” Google senior program manager and contributor Mike Maraya wrote in a blog post.