• Home
  • >
  • Software Development
  • >
  • OpenSSF Allstar Draws on Google Expertise to Secure GitHub Code – InApps Technology 2022

OpenSSF Allstar Draws on Google Expertise to Secure GitHub Code – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn OpenSSF Allstar Draws on Google Expertise to Secure GitHub Code – InApps Technology in today’s post !

Read more about OpenSSF Allstar Draws on Google Expertise to Secure GitHub Code – InApps Technology at Wikipedia

You can find content about OpenSSF Allstar Draws on Google Expertise to Secure GitHub Code – InApps Technology from the Wikipedia website

It’s easy to talk a good security game. It’s another matter entirely to actually implement good security. Now, Google Open Source and the Linux Foundation‘s Open Source Security Foundation (OSSF) have joined forces to make it easier for you to secure your GitHub repositories.

This is being done with Allstar, a GitHub app that provides automated continuous enforcement of security best practices and policies for GitHub projects. This works with Google and OSSF’s newly released Security Scorecards. Scorecards use a set of automated pass/fail checks, currently 18, to provide a quick review of the security of open source software projects. Specifically, Scorecards checks security heuristics, such as whether it uses branch protection, cryptographically signs release artifacts and requires code review.

This produces a “risk score” for the open source code. It’s a quick, dirty, and practical way to see how trustworthy a given codebase is.

Allstar takes this data and advances it one step forward. With it, maintainers can automatically force specific check enforcement. Then, if your repository fails a check, Allstar intervenes to remediate the issue. This avoids the extra effort and annoyance of manual fixes. In other words, Security Scorecards helps you measure your current security posture against where you want to be and Allstar helps you get there.

Read More:   Securing the Software Supply Chain with a Software Bill of Materials – InApps 2022

Specifically, “Allstar works by continuously checking expected GitHub API states and repository file contents (repository settings, branch settings, workflow settings) against defined security policies and applying enforcement actions (filing issues, changing the settings) when expected states do not match the policies.”

There are several advantages to this approach. First, because it works constantly to enforce your security policy it can catch stealthy attacks that you might never notice. For example, if someone temporarily disables branch protections to commit a malicious change and then reenables the protections Allstar will detect the policy violation and block it. Second, people are, frankly, not good at spotting security issues. By automating the process, you take the human error element out of the security equation.

Today, Allstar can only run a few security policy checks Here’s what’s up and running to date:

Branch protection:

  • Require approval on pull requests, which helps meet the code review requirement for Supply-chain Levels for Software Artifacts (SLSA).
  • Set a number of required pull request approvals.
  • Dismiss stale pull request approvals.
  • Block force pushes.

Other protections include:

  • Require a Security Policy file, SECURITY.md, to be present in a project.
  • Lockout outside collaborator administrators and block push access for outside collaborators. With this, you can require all admin and collaborators to be members of your organization before they work on your project.
  • Spot and alert administrators and maintainers when a binary blob is found in the repository.

Looking ahead, Allstar will automatically update dependencies as open-source security patches are made. It will do this by making sure automatic dependency updates via Dependabot or Renovate are enabled.

At the same time, if you’re worried about bad code coming in from outside, Allstar can freeze dependency updates until you have a chance to review them. This will be done via a lock file or a similar language-specific pinning mechanism. This will protect you from compromised dependency releases.

Read More:   Stream 2.0 Ditches the Pokey Python in Favor of the Faster GoLang – InApps 2022

Don’t want to check on a specific security policy that Scorecard can spot? No problem. Allstar lets you pick the enforcement actions that make sense for you, your repositories, and your enabled policies. The following enforcement actions are available today:

  • Log the security policy adherence failure with no additional action
  • Open a GitHub issue
  • Revert the modified GitHub policy setting to match the original Allstar configuration

More enforcement actions will be available in future updates.

This open source tool is very much a work in progress. If you’d like to help, and you should because the combination of Allstars and Scorecards promises to be a security gamechanger, they’ll be happy for the help. Just start using Allstar and help improve it by submitting issues and/or pull requests for new additions. You, and the rest of the open-source programming community, will be glad you did.

Source: InApps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download


      Success. Downloading...