In the previous blog post, I looked at how to use OpenSSF Scorecard to improve the security posture of your open-source GitHub projects. This is a really useful tool when working at the level of individual repositories. However, what if you want to apply security policies to many repositories in a GitHub organization? This is where OpenSSF Allstar comes in.
Getting Started
Detailed installation instructions are available here. The easiest way of getting started is to install the OpenSSF AllStar GitHub app in your organization. However you may not wish to grant access to your internal/private repositories to this instance, in which case it's pretty easy to manually install it.
General Configuration
Allstar reads configuration from a GitHub repo called ".allstar" in your GitHub organization. Here an "allstar.yaml" file defines the general configuration for the tool, e.g.:
This configuration uses the "Opt out" strategy, meaning that all repositories are included in the organization unless you explicitly opt them out. Archived and forked repos are excluded as you may not care about applying security policies to these types of repositories. Finally the configuration blocks individual repositories overriding the allstar configuration.
Policies
Allstar policies are added by checking in the corresponding yaml file to the .allstar repository. Each policy allows you to define whether to just log the issue or whether to create a GitHub issue for it in the repository where a policy violation was found. GitHub issues are labelled with "allstar", making it easy to search for them across all repositories in your organization.
Here are some of the policies Allstar currently supports:
- binary_artifacts.yaml: Enforce that binary artifacts aren't checked in to source control.
- branch_protection.yaml: Enforce branch protection requirements on repos, for example:
- Default branches are covered by branch protection.
- Approval is required for pull requests
- Block force pushes
- Require the branch is up to date before merging
- dangerous_workflow.yaml: Flag dangerous things in github actions workflows.
- outside.yaml: Enforce that outside collaborators can't be an admin on a repository.
- security.yaml: Enforce that repositories have a security policy. I use it with "optOutPrivateRepos: true" to only apply this policy to public repos. This helps to let external users of your software know how to report security issues to the project.
Contributions
I've found allstar pretty useful and submitted a few contributions to it in the spirit of open-source, that were included in the recent v3.0 release:
- Fixed an issue with repo-level exemptions for the binary artifacts policy: https://github.com/ossf/allstar/pull/341
- Added support to opt out forked repositories: https://github.com/ossf/allstar/pull/342
- Added support to require code owner reviews for the branch protection policy: https://github.com/ossf/allstar/pull/343
- Skipped policy evaluation if the repository wasn't enabled: https://github.com/ossf/allstar/pull/355