Security News > 2021 > August > Allstar app helps enforce security best practices for GitHub projects
Google and the Open Source Security Foundation have released Allstar, an app that allows organizations / owners of GitHub repositories to set up security policy expectations for GitHub projects and to make sure that these policies are adhered to.
"Allstar works by continuously checking expected GitHub API states and repository file contents against defined security policies and applying enforcement actions when expected states do not match the policies," OpenSSF's John Mertic explained.
"The continuous nature of the enforcement protects against stealthy attacks that human enforcement might not notice: Allstar will detect and respond to a policy violation if someone, for example, temporarily disables branch protections in order to commit a malicious change before reenabling the protections."
The presence of the SECURITY.md file, containing a defined policy for responsible vulnerability disclosure.
Allstar works in concert with Security Scorecards, a helpful automated tool that checks things like whether the project uses tools to automatically update its dependencies, does it require code review before code is merged, does it cryptographically sign releases, does it have unfixed vulnerabilities, and so on, and calculates a score that indicates the current security posture of the project.
"Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there," Mertic concluded.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/aOsrWTpORek/
Related news
- OSPS Baseline: Practical security best practices for open source software projects (source)
- Fake "Security Alert" issues on GitHub use OAuth app to hijack accounts (source)
- GitHub project maintainers targeted with fake security alert (source)
- GitHub expands security tools after 39 million secrets leaked in 2024 (source)