Google open-sourced Allstar tool to secure GitHub repositories

Pierluigi Paganini August 13, 2021

Google has open-sourced the Allstar tool that can be used to secure GitHub projects and prevent security misconfigurations.

Google has open-sourced the Allstar tool that can be used to secure GitHub projects by enforcing a set of security policies to prevent misconfiguration.

“Allstar is a GitHub App installed on organizations or repositories to set and enforce security policies. Its goal is to be able to continuously monitor and detect any GitHub setting or repository file contents that may be risky or do not follow security best practices.” reads the project description. “If Allstar finds a repository to be out of compliance, it will take an action such as create an issue or restore security settings.”

The tool can be installed on organizations and user accounts to enforce specific policies that are highly configurable, it also gives the community to contribute by proposing new policies. The tool is developed under the OpenSSF organization, as a part of the Securing Critical Projects Working Group

Upon installing Allstar, administrators of the repository can review the permissions requested. The tool uses read access to most settings and file contents to analyze security compliance. It also requests the write access to issues to create issues, and to checks to allow the block action.

Every time Allstar detects a repository that is not compliant. the tool may perform the following actions:

  • log: The tool log the policy violation and makes it only visible to the app operator.
  • issue: The tool creates a single GitHub issue per policy..
  • fix:The tool changes to the GitHub settings in an attempt to address the policy violation.

Google also proposed the following actions for future releases of the tool:

  • block: Allstar can set a GitHub Status Check and block any PR in the repository from being merged if the check fails.
  • email: Allstar would send an email to the repository administrator(s).
  • rpc: Allstar would send an rpc to some organization-specific system.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GitHub)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment