Google’s new GitHub app provides automated enforcement of best security practices

Google and OpenSSF have published a new application called Allstar, which provides an automated continuous application of the best security practices for Github projects.

As a member of the Open Source Software (OSS) community, the research giant is well aware of the increasing threat posed by software supply chain attacks against open source projects and Allstar is its latest efforts to improve their security.

With Allstar, Gitub Project Owners can verify the grip of security policies, define the desired application shares and constantly enact these applications when they triggered a parameter or a file change in the organization repository. or project according to a new OpenSFF blog message.

We have built a list of the best laptops for programming

These are the best firewall solutions on the market

Also check our list of best final protection software

Using this new GitHub application, the open source community can proactively reduce safety risk while adding as little friction as possible to their workflows.

ALLSTAR application

Allstar is a Google companion and automated dashboards of the OpenSFF tool that evaluates the risks for a repository and its dependencies.

Although the Security Scorecards checks a number of important heuristics to provide a score to help users understand specific areas to enhance their projects, Allstar allows maintainers to choose an automated application of specific controls. . However, if a repository fails at an activated check, Allstar intervenes to make the necessary changes to clean up the problem.

Allstar itself works by constantly checking the states of the Github API and the contents of the planned repository file, such as repository settings, branch settings, and workflow settings against defined security policies. and applying application shares (classification problems, modification of the parameters) when the expected states do not correspond to the policies.

Although OpenSFF works its own Allstar instance that everyone can install and use, Gitub Project Owners can also create and execute their own instances for security or customization reasons.

To start with Allstar, Gitub Project Owners can install the Allstar application here and use these quick start instructions to configure it.