OpenSSF introduces policy enforcement app Allstar to keep GitHub projects secure

Allstar GitHub App

The Open Source Security Foundation (OpenSSF) has made another step towards its vision of a secure OS ecosystem by turning its knowledge about repository protection into a GitHub app meant to bump up the platforms own security measures by helping to detect and correct risky or plainly unsafe settings and file contents.

According to the OpenSSF’s introduction of Allstar, as the app is called, the project is meant as a companion tool to the Security Scorecard the foundation shared last year. While Scorecards only give a general idea of the security posture of an open source project by checking for things like branch protection, commit activities, official packages, unfixed vulnerabilities, and use of testing tools, Allstar promises to get a bit more hands-on, filing GitHub issues or reverting modifications if needed.

To make use of Allstar, it has to be installed on either a GitHub organisation or repository. Once configured, the app will start monitoring GitHub settings and file contents, check them for compliance with the enabled policies, and take the set action should there be a mismatch.

What happens when a compliance violation occurs is largely up to the user, as policies can be modified to take one of currently three actions. The default here is logging policy run results and details, which only the app operator can see. Other options would be to have the app create an issue with details on the policy violation or change the settings leading to the violation, though this might not be an option in all cases. Additional actions such as sending an email to repository admins, blocking PRs if a check fails, or sending a remote procedure call to another system are currently discussed.

Out of the box, Allstar is configured to be opt-in to make sure the app isn’t doing anything until you tell it to. The OpenSSF’s working group for securing critical projects however recommends switching to opt-out, meaning that all repositories in the organisation Allstar is activated for are continuously checked for compliance issues (though there are ways to disable this behaviour for selected repos if sensible).

Policies are enabled and configured in a similar manner with yaml files on either the organisational or repository level. While GitHub’s own security policies mainly cover authentication, Allstar’s initial stack includes files to enable checks for inspecting whether GitHub’s branch protection settings are set up correctly, the project is free of checked-in binaries, outside collaborators don’t have admin access, and there are security policies in place. Next up on the implementation list are policies to verify dependabot is enabled and dependencies are pinned, however the OpenSSF team also looks to add more checks from the Scorecard project.

Teams interested in the project can find Allstar on GitHub and set up their own instance, or just use the one the OpenSSF is offering. An example for the project being used can be investigated in the GoogleContainerTools repo.