OpenSFF’s Allstar aims to fix vulnerabilities in open source projects
All the sessions from Transform 2021 are available on-demand now. Watch now.
Let the OSS Enterprise newsletter guide your open source journey! Sign up here
GitHub and Google today announced the launch of Allstar, an app that provides automated continuous enforcement of security best practices for GitHub projects. Allstar, which was created by Google and the wider Open Source Security Foundation (OpenSSF), can check for security policy adherence, set enforcement actions, and enact those enforcements when triggered by a setting or file change in a repository.
Allstar is a companion to Security Scorecards, a tool released by Google and comembers at the OpenSSF that assesses risk to a repository and its dependencies. While Scorecards checks heuristics like whether the project uses branch protection, cryptographically signs release artifacts, or requires code review, Allstar allows maintainers to opt into automated enforcement of specific checks.
Security gaps increasingly plague large open source projects. The number of open source software vulnerabilities more than doubled in 2019 compared with 2018, according to RiskSense, while total common vulnerabilities and exposures vulnerabilities reached 968 last year — up from 421 in 2018. The implications are far-reaching, considering that an estimated 91% of commercial applications contain outdated or abandoned open source components.
Allstar works by continuously checking expected GitHub API states like repository settings, branch settings, workflow settings, and file contents against defined security policies. If the app detects that something’s amiss, it applies enforcement actions, such as filing issues and changing the project settings. For example, Allstar will spot and respond if a developer temporarily disables branch protections to commit a malicious change before reenabling the protections.
A limited number of security policy checks are currently enforced by Allstar, with additional policies — including frozen dependencies and automatic dependency updates — planned in the coming months. At launch, Allstar can set requirements before collaborators can push changes to a branch in a repository; enforce the presence of a security policy; require that users with admin privileges on a repository be members of the owning organization; and detect potentially compromising “binary artifacts.”
Allstar lets developers pick from several out-of-the-box enforcement actions including “Log the security policy adherence failure with no additional action,” “Open a GitHub issue,” and “Revert the modified GitHub policy setting to match the original Allstar configuration.” OpenSSF runs an Allstar instance that anyone can install and use, but developers can create and run their own instance for security or further customization.
“Allstar is still in the early stages of development, so we welcome adoption and community feedback,” Google senior program manager and contributor Mike Maraya wrote in a blog post. “We look forward to rolling out more enforcements; in the meanwhile, taking simple steps like enforcing code review and setting branch protections can make a significant difference in protecting against supply-chain attacks. Taking these fundamental actions together can help raise the bar for security standards in open source software.”
Since its founding last year, OpenSSF, which is spearheaded by the Linux Foundation, has made progress toward consolidating industry efforts to improve the security of open source projects. The list of governing board members has grown beyond Google and GitHub to include IBM, JPMorgan Chase, and Red Hat. GitLab, HackerOne, Intel, Okta, Purdue, Uber, WhiteSource, and VMware are among the initiative’s other members.
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
Source: Read Full Article