Allstar: Automatically enforce security rules in GitHub projects

Share your love

The Open Source Security Foundation (OpenSSF), together with Google, has brought out Allstar, an application for repairing vulnerabilities in open source projects. Allstar should automatically and continuously check compliance with the security guidelines for projects hosted on GitHub, suggest measures to implement best practices and, if the appropriate settings are available or if changes are made in a repository, also be able to initiate these actions.

The application is a supplement to the Security Scorecards, a tool also developed by Google and other OpenSSF members, with which the security risks of repositories and their dependencies can be assessed. In contrast to scorecards, Allstar enables the maintainers to activate a user-defined, automated execution of security checks (opt-in). With scorecards, the focus is on the heuristic, for example, whether a project is cryptographically signed release artifacts, needs a code review, or whether the project branches are protected. While Scorecards calculates risks according to defined parameters, Allstar GitHub projects are supposed to support the implementation of best practices for more security.

According to the release announcement in the OpenSSF blog, Allstar continuously compares the expected and expected GitHub API states with the security guidelines. In this way, potential weaknesses in the settings of the repositories, branches, workflows and in the file contents should be detected at an early stage, and the application can, according to the publisher, take action to rectify the problems, depending on the user configuration. The continuous comparison with the specifications is intended to protect against clandestine attacks that people would easily overlook. Among other things, Allstar should be able to automatically adapt project settings to the desired security requirements, and the tool should be able to intervene if someone, for example, temporarily overrides the protection of a branch in order to make harmful changes. (How exactly Allstar should recognize that someone is up to evil is not clear from the announcement, but apparently reaction rules can be defined for known attack patterns.)

Read Also   SpaceX launches a cosmonaut with the new NASA crew to the space station

OpenSSF, Allstar App for the Protection of GitHub Projects: Continuous Automated Enforcement

Allstar for the protection of GitHub projects: Principle of “Continuous Automated Enforcement”

(Image: OpenSSF)

According to the blog entry, contributors can determine which measures (enforcement actions) make the most sense for their organization, the project and its repositories. The specific policies that Allstar should take into account can apparently also be selected. Three actions are available at the time of release, further options are planned for the future: Logging errors when complying with the security policy (pure logging without further measures), creating a GitHub issue and undoing the changed GitHub setting so that it again matches the configuration defined in Allstar.

In the area of ​​security policy enforcement, only branch protection is initially available. Among other things, pull requests from the tool can require a specified number of approvals, outdated pull request approvals can be rejected and forced pushes can be blocked by the tool. According to the description, Allstar can also stipulate that users with administrator rights must be members of the organization that owns the repository. This means that push access can also be prevented for external parties.

For the future, the project has planned an automated dependency update with which dependencies can be regularly updated automatically. New versions of dependencies should always be checked, since an unchecked integration would open attack gates. According to the blog entry, language-specific so-called pinning files should prevent compromised dependency updates from entering the project in the future.

Anyone interested in the project and its tool will find it further information in the blog announcement of the OpenSSF. The source code is in Allstar-Repository auf GitHub ready, where a more detailed project description and quick start guide can be found.


Article Source

Share your love