Skip to main content

Google's new GitHub app provides automated enforcement of best security practices

GitHub Webpage
(Image credit: Gil C / Shutterstock)
Audio player loading…

Google and OpenSSF have released a new app called Allstar which provides automated continuous enforcement of security best practices for GitHub (opens in new tab) projects.

As a member of the open source software (opens in new tab) (OSS) community, the search giant is well aware of the growing threat posed by software supply chain attacks (opens in new tab) against open source projects and Allstar is its latest effort to improve their security.

With Allstar, GitHub project owners can check for security policy adherence, set desired enforcement actions and continuously enact those enforcements when triggered b a setting or file change in the organization or project repository according to a new blog post from OpenSFF.

By using this new GitHub app, the open source community can proactively reduce security risk while adding as little friction as possible to their workflows.

Allstar app

Allstar is a companion to Google and the OpenSFF's automated tool Scorecards (opens in new tab) which assesses risks to a repository and its dependencies.

While Security Scorecards check a number of important heuristics to provide a score to help users understand specific areas to improve in order to strengthen the security posture of their projects, Allstar allows maintainers to opt into automated enforcement of specific checks. However, if a repository fails an enabled check, Allstar intervenes to make the necessary changes to remediate the issue.

Allstar itself works by continuously checking expected GitHub API states and repository file contents such as repository settings, branch settings and workflow settings against defined security policies and applying enforcement actions (filing issues, changing settings) when expected states do not match the policies.

Although OpenSFF runs its own Allstar instance that anyone can install and use, GitHub project owners can also create and run their own instances for security or customization reasons.

To get started with Allstar, GitHub project owners can install the Allstar app here (opens in new tab) and use these quick start instructions (opens in new tab) to configure it.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.