The app provides for continuous enforcement of best security practices
This week Google announced the release of the Allstar GitHub application. The app enables what the tech giant calls “automated continuous enforcement of security best practices” in GitHub projects.
The new app works by enabling project owners on the GitHub code repository to check for security policy adherence, set desired enforcement actions and then continuously enforce those policies when necessary. An example of the capability is setting or a file change in the project’s repository.
The Allstar app is a companion to Scorecards. This is another open-source tool that Google backs which automatically assesses risks to any GitHub repository and its dependencies.
Allstar works by continuously checking expected GitHub API states and repository file contents. These include repository settings, branch settings, workflow settings. It checks these against defined security policies and applying enforcement actions such as filing issues, changing the settings. It performs the checks automatically when expected states do not match the policies.
The continuous nature of the enforcement protects against stealthy attacks that human enforcement might not notice: Allstar will detect and respond to a policy violation if someone, for example, temporarily disables branch protections in order to commit a malicious change before reenabling the protections.
Combating the threat of software supply chain attacks
Mike Maraya, Google’s senior program manager for security, and Google scholar Jeff Mendoza co-authored a blog post about the release.
“As an active member of the open source software (OSS) community, Google recognizes the growing threat of software supply chain attacks against OSS we use and develop,” they wrote.
“Building on our efforts to improve OSS security with an end-to-end framework (SLSA), metrics (Scorecards), and coordinated vulnerability disclosure (guide), we are excited to announce Allstar.”
“Allstar is a GitHub app that continuously enforces security policy settings through selectable automated enforcement actions,” they wrote. “Allstar is already filing and closing security issues for Envoy and GoogleContainerTools, with more organizations and repositories lined up.”
4 hours ago
