It’s easy to talk a good security game. It’s another matter entirely to actually implement good security. Now, Google Open Source and the Linux Foundation‘s Open Source Security Foundation (OSSF) have joined forces to make it easier for you to secure your GitHub repositories.
This is being done with Allstar, a GitHub app that provides automated continuous enforcement of security best practices and policies for GitHub projects. This works with Google and OSSF’s newly released Security Scorecards. Scorecards use a set of automated pass/fail checks, currently 18, to provide a quick review of the security of open source software projects. Specifically, Scorecards checks security heuristics, such as whether it uses branch protection, cryptographically signs release artifacts and requires code review.
This produces a “risk score” for the open source code. It’s a quick, dirty, and practical way to see how trustworthy a given codebase is.
Allstar takes this data and advances it one step forward. With it, maintainers can automatically force specific check enforcement. Then, if your repository fails a check, Allstar intervenes to remediate the issue. This avoids the extra effort and annoyance of manual fixes. In other words, Security Scorecards helps you measure your current security posture against where you want to be and Allstar helps you get there.
Specifically, “Allstar works by continuously checking expected GitHub API states and repository file contents (repository settings, branch settings, workflow settings) against defined security policies and applying enforcement actions (filing issues, changing the settings) when expected states do not match the policies.”
There are several advantages to this approach. First, because it works constantly to enforce your security policy it can catch stealthy attacks that you might never notice. For example, if someone temporarily disables branch protections to commit a malicious change and then reenables the protections Allstar will detect the policy violation and block it. Second, people are, frankly, not good at spotting security issues. By automating the process, you take the human error element out of the security equation.
Today, Allstar can only run a few security policy checks Here’s what’s up and running to date:
- Require approval on pull requests, which helps meet the code review requirement for Supply-chain Levels for Software Artifacts (SLSA).
- Set a number of required pull request approvals.
- Dismiss stale pull request approvals.
- Block force pushes.
Other protections include:
- Require a Security Policy file, SECURITY.md, to be present in a project.
- Lockout outside collaborator administrators and block push access for outside collaborators. With this, you can require all admin and collaborators to be members of your organization before they work on your project.
- Spot and alert administrators and maintainers when a binary blob is found in the repository.
Looking ahead, Allstar will automatically update dependencies as open-source security patches are made. It will do this by making sure automatic dependency updates via Dependabot or Renovate are enabled.
At the same time, if you’re worried about bad code coming in from outside, Allstar can freeze dependency updates until you have a chance to review them. This will be done via a lock file or a similar language-specific pinning mechanism. This will protect you from compromised dependency releases.
Don’t want to check on a specific security policy that Scorecard can spot? No problem. Allstar lets you pick the enforcement actions that make sense for you, your repositories, and your enabled policies. The following enforcement actions are available today:
- Log the security policy adherence failure with no additional action
- Open a GitHub issue
- Revert the modified GitHub policy setting to match the original Allstar configuration
More enforcement actions will be available in future updates.
This open source tool is very much a work in progress. If you’d like to help, and you should because the combination of Allstars and Scorecards promises to be a security gamechanger, they’ll be happy for the help. Just start using Allstar and help improve it by submitting issues and/or pull requests for new additions. You, and the rest of the open-source programming community, will be glad you did.