Google has announced the Allstar GitHub app to provide automated continuous enforcement of security best practices for GitHub projects. Allstar helps owners with security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository.
“Allstar will help the open source community proactively reduce security risk while adding as little friction as possible,” Mike Maraya, Google’s senior program manager for security, and Google scholar Jeff Mendoza said in a blog post.
Allstar is a companion to Security Scorecards, an automated tool launched in November 2020 by Google and the Open Source Security Foundation. The open source tool assesses risk to a repository and its dependencies.
The post added: “Allstar works by continuously checking expected GitHub API states and repository file contents (repository settings, branch settings, workflow settings) against defined security policies and applying enforcement actions (filing issues, changing the settings) when expected states do not match the policies. The continuous nature of the enforcement protects against stealthy attacks that human enforcement might not notice: Allstar will detect and respond to a policy violation if someone, for example, temporarily disables branch protections in order to commit a malicious change before reenabling the protections.”
A limited number of security policy checks like Branch Protection, Security Policy, Outside Collaborator Administrators, and Binary Artifacts are currently enforced by Allstar, with additional policies planned in the coming months.