[TheRecord] Google open-sources Allstar, a tool to protect GitHub repos

Google has open-sourced today a project named Allstar that can be used to secure GitHub projects by constantly watching and enforcing a set of security policies with the hope of preventing basic security misconfigurations.

Available as a GitHub app, Allstar can be installed on organizations and user accounts and allow it access to desired repositories.

Under the hood, Allstar works by reading a configuration file containing a set of user-defined rules—called security policies— and then constantly scanning and checking a project’s settings and recent events to ensure that no modifications are made to a project’s sensitive areas.

If a recent project update breaks one of the security policies, Google says Allstar can:

Log the security policy violation;Open a GitHub issue to notify the administrators;Or take an automated action to fix or revert a project’s settings in order to have it comply with the original Allstar configuration.

Future Allstar development plans also include adding the ability to email an administrator when a policy check fails, block new code from being merged into a repository if a policy breaks, or notifying third-party apps via RPC calls for cross-platform updates.

Right now, Allstar supports configuration options for the following security policies, but Google said the project would soon receive more:

Check if the “branch protection” feature is still enabled for a repository.Check if a project’s automatic dependency updates option is active.Check if a project has frozen dependencies.Check if repo admins are part of a specific GitHub organization.Check if binary artifacts (files) have been uploaded to a project.Check if a SECURITY.md file is present in a repo to ensure bugs are reported responsibly.

While Google has initially developed Allstar, the project has been open-sourced today under the Open Source Security Foundation, a foundation created last year by today’s biggest tech firms in order to help steer, guide, and share open source security tools.

Besides Google, the OpenSSF also includes members like GitHub, Microsoft, Canonical, Cisco, Facebook, Intel, HP, Tencent, IBM, Red Hat, Samsung, and many more.

The post Google open-sources Allstar, a tool to protect GitHub repos appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Top 10 Cybersecurity Best Practices to Combat Ransomware

All posts, ThreatPost

Immutable storage and more: Sonya Duffin, data protection expert at Veritas Technologies, offers the Top 10 steps for building a multi-layer resilience profile. Source: Read More (Threatpost)

Read More

[ThreatPost] Mercedes-Benz Customer Data Flies Out the Window

All posts, ThreatPost

For over three years, a vendor was recklessly driving the cloud-stored data of luxury-car-owning customers and wannabe buyers. Source: Read More (Threatpost)

Read More

[BleepingComputer] SIM swap scammer pleads guilty to Instagram account hijacks, crypto theft

Declan Harrington, a Massachusetts man charged two years ago for his alleged involvement in a series of SIM swapping attacks, pleaded guilty to stealing cryptocurrency from multiple victims and hijacking the Instagram account of others.  […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.