GitHub App to set and enforce security policies

Related tags

DevOps Tools allstar
Overview

Allstar

Allstar is a GitHub App installed on organizations or repositories to set and enforce security policies. Its goal is to be able to continuously monitor and detect any GitHub setting or repository file contents that may be risky or do not follow security best practices. If Allstar finds a repository to be out of compliance, it will take an action such as create an issue or restore security settings.

The specific policies are intended to be highly configurable, to try to meet the needs of different project communities and organizations. Also, developing and contributing new policies is intended to be easy.

Allstar is developed under the OpenSSF organization, as a part of the Securing Critical Projects Working Group. The OpenSSF runs an instance of Allstar here for anyone to install and use on their GitHub organizations. However, Allstar can be run by anyone if need be, see the operator docs for more details.

Quick start

Install Allstar GitHub App on your organizations and repositories. When installing Allstar, you may review the permissions requested. Allstar asks for read access to most settings and file contents to detect security compliance. It requests write access to issues to create issues, and to checks to allow the block action.

Follow the quick start instructions to setup the configuration files needed to enable Allstar on your repositories. For more details on advanced configuration, see below.

Help! I'm getting issues created by Allstar and I don't want them.

Enable Configuration

Allstar can be enabled on individual repositories at the app level, with the option of enabling or disabling each security policy individually. For organization-level configuration, create a repository named .allstar in your organization. Then create a file called allstar.yaml in that repository.

Allstar can either be set to an opt-in or opt-out strategy. In opt-in, only those repositories explicitly listed are enabled. In opt-out, all repositories are enabled, and repositories would need to be explicitly added to opt-out. Allstar is set to opt-in by default, and therefore is not enabled on any repository immediately after installation. To continue with the default opt-in strategy, list the repositories for Allstar to be enabled on in your organization like so:

optConfig:
  optInRepos:
  - repo-one
  - repo-two

To switch to the opt-out strategy (recommended), set that option to true:

optConfig:
  optOutStrategy: true

If you wish to enable Allstar on all but a few repositories, you may use opt-out and list the repositories to disable:

optConfig:
  optOutStrategy: true
  optOutRepos:
  - repo-one
  - repo-two

To opt-out all private/public repositories, add optOutPrivateRepos or optOutPublicRepos. ex:

optConfig:
  optOutStrategy: true
  optOutPrivateRepos: true
  optOutPublicRepos: false

Secondary Org-Level configuration location

By default, org-level configuration files, such as the allstar.yaml file above, are expected to be in a .allstar repository. If this repository does not exist, then the .github repository allstar directory is used as a secondary location. To clarify, for allstar.yaml:

Prescedence Repository Path
Primary .allstar allstar.yaml
Secondary .github allstar/allstar.yaml

This is also true for the org-level configuration files for the individual policies, as described below.

Repository Override

Individual repositories can also opt in or out using configuration files inside those repositories. For example, if the organization is configured with the opt-out strategy, a repository may opt itself out by including the file .allstar/allstar.yaml with the contents:

optConfig:
  optOut: true

Conversely, this allows repositories to opt-in and enable Allstar when the organization is configured with the opt-in strategy. Because opt-in is the default strategy, this is how Allstar works if the .allstar repository doesn't exist.

At the organization-level allstar.yaml, repository override may be disabled with the setting:

optConfig:
  disableRepoOverride: true

This allows an organization-owner to have a central point of approval for repositories to request an opt-out through a GitHub PR. Understandably, Allstar or individual policies may not make sense for all repositories.

Policy Enable

Each individual policy configuration file (see below) also contains the exact same optConfig configuration object. This allows granularity to enable policies on individual repositories. A policy will not take action unless it is enabled and Allstar is enabled as a whole.

Definition

Actions

Each policy can be configured with an action that Allstar will take when it detects a repository to be out of compliance.

  • log: This is the default action, and actually takes place for all actions. All policy run results and details are logged. Logs are currently only visible to the app operator, plans to expose these are under discussion.
  • issue: This action creates a GitHub issue. Only one issue is created per policy, and the text describes the details of the policy violation. If the issue is already open, it is pinged with a comment every 24 hours (not currently user configurable). Once the violation is addressed, the issue will be automatically closed by Allstar within 5-10 minutes.
  • fix: This action is policy specific. The policy will make the changes to the GitHub settings to correct the policy violation. Not all policies will be able to support this (see below).

Proposed, but not yet implemented actions. Definitions will be added in the future.

  • block: Allstar can set a GitHub Status Check and block any PR in the repository from being merged if the check fails.
  • email: Allstar would send an email to the repository administrator(s).
  • rpc: Allstar would send an rpc to some organization-specific system.

Policies

Similar to the Allstar app enable configuration, all policies are enabled and configured with a yaml file in either the organization's .allstar repository, or the repository's .allstar directory. As with the app, policies are opt-in by default, also the default log action won't produce visible results. A simple way to enable all policies is to create a yaml file for each policy with the contents:

optConfig:
  optOutStrategy: true
action: issue

The fix action is not implemented in any policy yet, but will be implemented in those policies where it is applicable soon.

Branch Protection

This policy's config file is named branch_protection.yaml, and the config definitions are here.

The branch protection policy checks that GitHub's branch protection settings are setup correctly according to the specified configuration. The issue text will describe which setting is incorrect. See GitHub's documentation for correcting settings.

Binary Artifacts

This policy's config file is named binary_artifacts.yaml, and the config definitions are here.

This policy incorporates the check from scorecard. Remove the binary artifact from the repository to achieve compliance. As the scorecard results can be verbose, you may need to run scorecard itself to see all the detailed information.

Outside Collaborators

This policy's config file is named outside.yaml, and the config definitions are here.

This policy checks if any Outside Collaborators have either administrator(default) or push(optional) access to the repository. Only organization members should have this access, as otherwise untrusted members can change admin level settings and commit malicious code.

SECURITY.md

This policy's config file is named security.yaml, and the config definitions are here.

This policy checks that the repository has a security policy file in SECURITY.md and that it is not empty. The created issue will have a link to the GitHub tab that helps you commit a security policy to your repository.

Future Policies

Example Config Repository

See this repo as an example of Allstar config being used. As the organization administrator, consider a README.md with some information on how Allstar is being used in your organization.

Contribute Policies

Interface definition.

Both the SECURITY.md and Outside Collaborators policies are quite simple to understand and good examples to copy.

Releases(v2.0)
Owner
Open Source Security Foundation (OpenSSF)
Open Source Security Foundation (OpenSSF)
jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Website • Getting Started Guide • Documentation • Blog • Twitter • Slack jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Loft Labs 237 Dec 2, 2022
Go-github-app - Template for building GitHub Apps in Go.

Template for GitHub Apps built with Golang Blog Posts - More Information About This Repo You can find more information about this project/repository a

Martin Heinz 53 Nov 1, 2022
Go-github-actions - `go-github-actions` is a package for developing GitHub Actions

go-github-actions go-github-actions is a package for developing GitHub Actions.

Ken’ichiro Oyama 1 Feb 6, 2022
A set of tools for managing projects in github

Github-pm-groomer The goal of this project is to have a CLI which runs a set of different grooming stuff on github. Some features Normalize labels à l

Charly Molter 0 Jan 5, 2022
GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.

GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.

OVO Technology 599 Nov 22, 2022
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 79 Nov 17, 2022
How to get a Go / Golang app using the Gin web framework running natively on Windows Azure App Service WITHOUT using a Docker container

Go on Azure App Service View the running app -> https://go-azure-appservice.azurewebsites.net ?? This is an example repo of how to get a Go / Golang a

Ed Andersen 9 Nov 28, 2022
This is for managing Slack App Manifests, it is no use if you are not developing an App for Slack.

Terraform Provider Slack App This is for managing Slack App Manifests, it is no use if you are not developing an App for Slack. Requirements Terraform

ChangeEngine 2 May 23, 2022
GitHub Rate Limits Prometheus exporter. Works with both App and PAT credentials

Github Rate Limit Prometheus Exporter A prometheus exporter which scrapes GitHub API for the rate limits used by PAT/GitHub App. Helm Chart with value

Kostiantyn Kulbachnyi 7 Sep 19, 2022
Open Source runtime scanner for OpenShift cluster and perform security audit checks based on CIS RedHat OpenShift Benchmark specification

OpenShift-Ordeal Scan your Openshift cluster !! OpenShift-Ordeal is an open source audit scanner who perform audit check on OpenShift Cluster and outp

chenk 5 Sep 6, 2022
A golang CTF competition platform with high-performance, security and low hardware requirements.

CTFgo - CTF Platform written in Golang A golang CTF competition platform with high-performance, security and low hardware requirements. Live Demo • Di

CTFgo 2 Oct 20, 2022
🔥 🔥 Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more. 🔥 🔥

CVE-2021-44228 Log4J Vulnerability can be detected at runtime and attack paths can be visualized by ThreatMapper. Live demo of Log4J Vulnerability her

null 2.4k Nov 30, 2022
APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging.

APKrash APKrash is an Android APK security analysis toolkit focused on comparing APKs to detect tampering and repackaging. Features Able to analyze pu

Henrique Goncalves 11 Nov 8, 2022
Golang security checker

gosec - Golang Security Checker Inspects source code for security problems by scanning the Go AST. License Licensed under the Apache License, Version

Secure Go 6.5k Dec 4, 2022
Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Network, Service & Security Observability for Kubernetes What is Hubble? Getting Started Features Service Dependency Graph Metrics & Monitoring Flow V

Cilium 2.3k Nov 29, 2022
Dynamic Application Security Testing (DAST) for Cloud

Dynamic Application Security Testing (DAST) for Cloud Probr analyzes the complex behaviours and interactions in your cloud resources to enable enginee

null 41 Aug 12, 2022
Open Source runtime scanner for Linux containers (LXD), It performs security audit checks based on CIS Linux containers Benchmark specification

lxd-probe Scan your Linux container runtime !! Lxd-Probe is an open source audit scanner who perform audit check on a linux container manager and outp

Chen Keinan 14 May 16, 2022
Kubernetes Pod Security Standards implementation

Pod Security Admission The Pod Security Standards are a set of best-practice profiles for running pods securely. This repository contains the codified

Kubernetes 70 Nov 25, 2022