Google has open-sourced the Allstar tool that can be used to secure GitHub projects by enforcing a set of security policies to prevent misconfiguration.
“Allstar is a GitHub App installed on organizations or repositories to set and enforce security policies. Its goal is to be able to continuously monitor and detect any GitHub setting or repository file contents that may be risky or do not follow security best practices.” reads the project description. “If Allstar finds a repository to be out of compliance, it will take an action such as create an issue or restore security settings.”
The tool can be installed on organizations and user accounts to enforce specific policies that are highly configurable, it also gives the community to contribute by proposing new policies. The tool is developed under the OpenSSF organization, as a part of the Securing Critical Projects Working Group.
Upon installing Allstar, administrators of the repository can review the permissions requested. The tool uses read access to most settings and file contents to analyze security compliance. It also requests the write access to issues to create issues, and to checks to allow the block action.
Every time Allstar detects a repository that is not compliant. the tool may perform the following actions:
Google also proposed the following actions for future releases of the tool:
(SecurityAffairs – hacking, GitHub)