Allstar is a GitHub app that provides automated continuous enforcement of security checks such as the OpenSSF Security Scorecards. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously implement those enforcement actions when triggered by a setting or file change in the org or repo. We hope this tool will help the open source community proactively reduce security risk while adding as little friction as possible.
Selectable Enforcement Actions
You have the option to select the enforcement actions that works best for your organization or repository:
- Log the policy adherence failure but take no additional action
- Open an issue
- Automatically change the GitHub setting to match the Allstar configuration
Policy Enforcements Available Today
For this early beta / dog food, the following policy enforcements are available right now with more planned:
Branch protection sets requirements before a collaborator can push changes to a branch in your repository. Allstar can enforce the following requirements:
Require approval on pull requests
- Set a number of required pull request approvals
- Dismiss stale pull request approvals
- Block force pushes
A defined policy in place for responsible vulnerability disclosure helps protect the users of your project, ensuring that you have a chance to provide a remediation before public disclosure. Allstar can enforce the presence of a security policy file (SECURITY.md).
Outside Collaborator Administrators
Allstar can alert when there are users with administrator privileges on a repository that are not members of the owning organization. Also, via settings, push access can be disallowed for outside collaborators as well.
Binary artifacts in a repository is a threat vector that cannot be accurately reviewed by a human. Allstar will detect these and alert if found.