Google and OpenSSF have released a new app called Allstar which provides automated continuous enforcement of security best practices for GitHub (opens in new tab) projects.
As a member of the open source software (opens in new tab) (OSS) community, the search giant is well aware of the growing threat posed by software supply chain attacks (opens in new tab) against open source projects and Allstar is its latest effort to improve their security.
With Allstar, GitHub project owners can check for security policy adherence, set desired enforcement actions and continuously enact those enforcements when triggered b a setting or file change in the organization or project repository according to a new blog post from OpenSFF.
- We've built a list of the best laptops for programming (opens in new tab)
- These are the best firewall (opens in new tab) solutions on the market
- Also check out our list of the best endpoint protection software (opens in new tab)
By using this new GitHub app, the open source community can proactively reduce security risk while adding as little friction as possible to their workflows.
Allstar is a companion to Google and the OpenSFF's automated tool Scorecards (opens in new tab) which assesses risks to a repository and its dependencies.
While Security Scorecards check a number of important heuristics to provide a score to help users understand specific areas to improve in order to strengthen the security posture of their projects, Allstar allows maintainers to opt into automated enforcement of specific checks. However, if a repository fails an enabled check, Allstar intervenes to make the necessary changes to remediate the issue.
Allstar itself works by continuously checking expected GitHub API states and repository file contents such as repository settings, branch settings and workflow settings against defined security policies and applying enforcement actions (filing issues, changing settings) when expected states do not match the policies.
Although OpenSFF runs its own Allstar instance that anyone can install and use, GitHub project owners can also create and run their own instances for security or customization reasons.
- We've also featured the best antivirus (opens in new tab)