Authors: Mike Maraya, Jeff Mendoza
We’re excited to announce Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository. Allstar will help the open source community proactively reduce security risk while adding as little friction as possible.
Allstar is a companion to Security Scorecards, an automated tool that assesses risk to a repository and its dependencies. Security Scorecards checks a number of important heuristics (currently 18), such as whether the project uses branch protection, cryptographically signs release artifacts, or requires code review. From these scores, users can understand specific areas to improve in order to strengthen the security posture of their project. From here, Allstar takes the next step and allows maintainers to opt into automated enforcement of specific checks. If your repository fails a particular check that you enable, Allstar intervenes to make the necessary changes to remediate the issue, avoiding the extra effort of regular manual fixes. In short, Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there.
Continuous Automated Enforcement
Allstar works by continuously checking expected GitHub API states and repository file contents (repository settings, branch settings, workflow settings) against defined security policies and applying enforcement actions (filing issues, changing the settings) when expected states do not match the policies. The continuous nature of the enforcement protects against stealthy attacks that human enforcement might not notice: Allstar will detect and respond to a policy violation if someone, for example, temporarily disables branch protections in order to commit a malicious change before reenabling the protections.
OpenSSF runs an Allstar instance that anyone can install and use. However, you can create and run your own Allstar instance for security or customization reasons.
User-Defined Enforcement Actions
Allstar lets you pick the enforcement actions that make sense for the organization, the repository, and the specific policies you’ve enabled. The following enforcement actions are available today, with more planned for the future:
- Log the security policy adherence failure with no additional action
- Open a GitHub issue
- Revert the modified GitHub policy setting to match the original Allstar configuration
Security Policy Enforcements Available Today
A limited number of security policy checks are currently enforced by Allstar, with additional policies planned in the coming months. Here’s what’s up and running so far:
Branch protection sets requirements before a collaborator can push changes to a branch in your repository. Allstar can enforce the following requirements:
- Require approval on pull requests, which helps meet the code review requirement for Supply-chain Levels for Software Artifacts (SLSA)
- Set a number of required pull request approvals
- Dismiss stale pull request approvals
- Block force pushes
A defined policy for responsible vulnerability disclosure helps protect the users of your project, ensuring that you have a chance to remediate an issue before public disclosure. Allstar can enforce the presence of a security policy file (SECURITY.md).
Outside Collaborator Administrators
Allstar can enforce a requirement that users with administrator privileges on a repository be members of the owning organization. It can also disallow push access for outside collaborators.
Binary artifacts in a repository are threat vectors that cannot be accurately reviewed by a human. Allstar will detect these and alert the user if found.
Here are some of the enforcements we’re looking to build in future releases:
Automatic Dependency Update
Security vulnerabilities are regularly discovered and fixed in open source packages. Automatically updating your dependencies helps keep known vulnerabilities out of your project. Allstar will be able to ensure that automatic dependency updates via Dependabot or Renovate are enabled on your repository.
Automatic incorporation of new dependency versions without review is an attack vector. A lock file or similar language-specific pinning file can protect against a compromised dependency release making its way into your project. Allstar will be able to detect and enforce the presence of language-specific dependency pinning.
Allstar is still in the early stages of development, so we welcome adoption and community feedback. You can get started using Allstar and help improve it by submitting issues and/or pull requests for new additions. We look forward to rolling out more enforcements; in the meanwhile, taking simple steps like enforcing code review and setting branch protections can make a significant difference in protecting against supply-chain attacks. Taking these fundamental actions together can help raise the bar for security standards in open source software.