Security News > 2021 > August > Allstar app helps enforce security best practices for GitHub projects

Google and the Open Source Security Foundation have released Allstar, an app that allows organizations / owners of GitHub repositories to set up security policy expectations for GitHub projects and to make sure that these policies are adhered to.

"Allstar works by continuously checking expected GitHub API states and repository file contents against defined security policies and applying enforcement actions when expected states do not match the policies," OpenSSF's John Mertic explained.

"The continuous nature of the enforcement protects against stealthy attacks that human enforcement might not notice: Allstar will detect and respond to a policy violation if someone, for example, temporarily disables branch protections in order to commit a malicious change before reenabling the protections."

The presence of the SECURITY.md file, containing a defined policy for responsible vulnerability disclosure.

Allstar works in concert with Security Scorecards, a helpful automated tool that checks things like whether the project uses tools to automatically update its dependencies, does it require code review before code is merged, does it cryptographically sign releases, does it have unfixed vulnerabilities, and so on, and calculates a score that indicates the current security posture of the project.

"Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there," Mertic concluded.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/aOsrWTpORek/