登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
3 Star 0 Fork 0

mirrors_ossf / allstar

代码 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
分支 133
标签 3
贡献代码
同步代码
创建 Pull Request
了解更多
对比差异 通过 Pull Request 同步
同步更新到分支
通过 Pull Request 同步
将会在向当前分支创建一个 Pull
Request,合入后将完成同步
取消
提示: 由于 Git 不支持空文件夾,创建文件夹后会生成空的 .keep 文件
.github
artwork
cmd
pkg
.gitignore
CONTRIBUTING.md
LICENSE
README.md
SECURITY.md
app-prod.yaml
app-staging.yaml
cloudbuild.yaml
code-of-conduct.md
contributor-ladder.md
deploy
go.mod
go.sum
install-decision.jpg
manual-install.md
operator.md
opt-out.md
whats-new.md
Loading...
README
Apache-2.0

OpenSSF Scorecard

Allstar

Overview

What's new with Allstar

Disabling Unwanted Issues

Getting Started

Policies and Actions

Advanced

Contribute

Overview

What is Allstar?

Allstar is a GitHub App that continuously monitors GitHub organizations or repositories for adherence to security best practices. If Allstar detects a security policy violation, it creates an issue to alert the repository or organization owner. For some security policies, Allstar can also automatically change the project setting that caused the violation, reverting it to the expected state.

Allstar’s goal is to give you finely tuned control over the files and settings that affect the security of your projects. You can choose which security policies to monitor at both the organization and repository level, and how to handle policy violations. You can also develop or contribute new policies.

Allstar is developed under the OpenSSF organization, as a part of the Securing Critical Projects Working Group.

What's new with Allstar

Disabling Unwanted Issues

If you're getting unwanted issues created by Allstar, follow these directions to opt out.

Getting Started

Background

Allstar is highly configurable. There are three main levels of controls:

  • Org level: Organization administrators can choose to enable Allstar on:
    • all repositories in the org;
    • most repositories, except some that are opted out;
    • just a few repositories that are opted in.

These configurations are done in the organization's .allstar repository.

  • Repo level: Repository maintainers in an organization that uses Allstar can choose to opt their repository in or out of organization-level enforcements. Note: these repo-level controls are only functional when "repo override" is allowed in the org-level settings. These configurations are done in the repository's .allstar directory.

  • Policy level: Administrators or maintainers can choose which policies are enabled on specific repos and which actions Allstar takes when a policy is violated. These configurations are done in a policy yaml file in either the organization's .allstar repository (admins), or the repository's .allstar directory (maintainers).

Org-Level Options

Before installing Allstar at the org level, you should decide approximately how many repositories you want Allstar to run on. This will help you choose between the Opt-In and Opt-Out strategies.

  • The Opt In strategy allows you to manually add the repositories you'd like Allstar to run on. If you do not specify any repositories, Allstar will not run despite being installed. Choose the Opt In strategy if you want to enforce policies on only a small number of your total repositories, or want to try out Allstar on a single repository before enabling it on more.

  • The Opt Out strategy (recommended) enables Allstar on all repositories and allows you to manually select the repositories to opt out of Allstar enforcements. You can also choose to opt out all public repos, or all private repos. Choose this option if you want to run Allstar on all repositories in an organization, or want to opt out only a small number of repositories or specific type (i.e., public vs. private) of repository.

Opt Out (Recommended)
optOutStrategy = true 		Opt In
optOutStrategy = false
Default behavior All repos are enabled No repos are enabled
Manually adding repositories Manually adding repos disables Allstar on those repos Manually adding repos enables Allstar on those repos
Additional configurations optOutRepos: Allstar will be disabled on the listed repos

optOutPrivateRepos: if true, Allstar will be disabled on all private repos

optOutPublicRepos: if true, Allstar will be disabled on all public repos

(optInRepos: this setting will be ignored)		 optInRepos: Allstar will be enabled on the listed repos

(optOutRepos: this setting will be ignored)
Repo Override If true: Repos can opt out of their organization's Allstar enforcements using the settings in their own repo file. Org level opt-in settings that apply to that repository are ignored.

If false: repos cannot opt out of Allstar enforcements as configured at the org level. 		If true: Repos can opt in to their organization's Allstar enforcements even if they are not configured for the repo at the org level. Org level opt-out settings that apply to that repository are ignored.

If false: Repos cannot opt into Allstar enforcements if they are not configured at the org level.

Installation Options

Both the Quickstart and Manual Installation options involve installing the Allstar app. You may review the permissions requested. The app asks for read access to most settings and file contents to detect security compliance. It requests write access to issues and checks so that it can create issues and allow the block action.

Quickstart Installation

This installation option will enable Allstar using the Opt Out strategy on all repositories in your organization. All current policies will be enabled, and Allstar will alert you of policy violations by filing an issue. This is the quickest and easiest way to start using Allstar, and you can still change any configurations later.

Effort: very easy

Steps:

  1. Install the Allstar app
    1. Open the installation page and click Configure
    2. If you have multiple organizations, select the one you want to install Allstar on
    3. Select "All Repositories" under Repository Access, even if you plan to disable Allstar on some repositories later
  2. Fork the sample repository
    1. Open the sample repository and click the "Use this template" button
    2. In the field for Repository Name, type .allstar
    3. Click "Create repository from template"

That's it! All current Allstar policies are now enabled on all your repositories. Allstar will create an issue if a policy is violated.

To change any configurations, see the manual installation directions.

Manual Installation

This installation option will walk you through creating configuration files according to either the Opt In or Opt Out strategy. This option provides more granular control over configurations right from the start.

Effort: moderate

Steps:

  1. Install the Allstar app (choose "All Repositories" under Repository Access, even if you don't plan to use Allstar on all your repositories)
  2. Follow the manual installation directions to create org-level or repository-level Allstar config files and individual policy files.

Policies and Actions

Actions

Each policy can be configured with an action that Allstar will take when it detects a repository to be out of compliance.

  • log: This is the default action, and actually takes place for all actions. All policy run results and details are logged. Logs are currently only visible to the app operator, plans to expose these are under discussion.
  • issue: This action creates a GitHub issue. Only one issue is created per policy, and the text describes the details of the policy violation. If the issue is already open, it is pinged with a comment every 24 hours without updates (not currently user configurable). If the policy result changes, a new comment will be left on the issue and linked in the issue body. Once the violation is addressed, the issue will be automatically closed by Allstar within 5-10 minutes.
  • fix: This action is policy specific. The policy will make the changes to the GitHub settings to correct the policy violation. Not all policies will be able to support this (see below).

Proposed, but not yet implemented actions. Definitions will be added in the future.

  • block: Allstar can set a GitHub Status Check and block any PR in the repository from being merged if the check fails.
  • email: Allstar would send an email to the repository administrator(s).
  • rpc: Allstar would send an rpc to some organization-specific system.

Action configuration

Two settings are available to configure the issue action:

  • issueLabel is available at the organization and repository level. Setting it will override the default allstar label used by Allstar to identify its issues.

  • issueRepo is available at the organization level. Setting it will force all issues created in the organization to be created in the repository specified.

Policies

Similar to the Allstar app enable configuration, all policies are enabled and configured with a yaml file in either the organization's .allstar repository, or the repository's .allstar directory. As with the app, policies are opt-in by default, also the default log action won't produce visible results. A simple way to enable all policies is to create a yaml file for each policy with the contents:

optConfig:
  optOutStrategy: true
action: issue

The details of how the fix action works for each policy is detailed below. If omitted below, the fix action is not applicable.

Branch Protection

This policy's config file is named branch_protection.yaml, and the config definitions are here.

The branch protection policy checks that GitHub's branch protection settings are setup correctly according to the specified configuration. The issue text will describe which setting is incorrect. See GitHub's documentation for correcting settings.

The fix action will change the branch protection settings to be in compliance with the specified policy configuration.

Binary Artifacts

This policy's config file is named binary_artifacts.yaml, and the config definitions are here.

This policy incorporates the check from scorecard. Remove the binary artifact from the repository to achieve compliance. As the scorecard results can be verbose, you may need to run scorecard itself to see all the detailed information.

Outside Collaborators

This policy's config file is named outside.yaml, and the config definitions are here.

This policy checks if any Outside Collaborators have either administrator(default) or push(optional) access to the repository. Only organization members should have this access, as otherwise untrusted members can change admin level settings and commit malicious code.

SECURITY.md

This policy's config file is named security.yaml, and the config definitions are here.

This policy checks that the repository has a security policy file in SECURITY.md and that it is not empty. The created issue will have a link to the GitHub tab that helps you commit a security policy to your repository.

Dangerous Workflow

This policy's config file is named dangerous_workflow.yaml, and the config definitions are here.

This policy checks the GitHub Actions workflow configuration files (.github/workflows), for any patterns that match known dangerous behavior. See the Security Scorecards Documentation for more information on this check.

Generic Scorecard Check

This policy's config file is named scorecard.yaml, and the config definitions are here.

This policy runs any scorecard check listed in the checks configuration. All checks run must have a score equal or above the threshold setting. Please see the Security Scorecards Documentation for more information on each check.

GitHub Actions

This policy's config file is named actions.yaml, and the config definitions are here.

This policy checks the GitHub Actions workflow configuration files (.github/workflows) (and workflow runs in some cases) in each repo to ensure they are in line with rules (eg. require, deny) defined in the organization-level config for the policy.

Repository Administrators

This policy's config file is named admin.yaml, and the config definitions are here.

This policy checks that by default all repositories must have a user or group assigned as an Administrator. It allows you to optionally configure if users are allowed to be administrators (as opposed to teams).

Future Policies

  • Ensure dependabot is enabled.
  • Check that dependencies are pinned/frozen.

Example Config Repository

See this repo as an example of Allstar config being used. As the organization administrator, consider a README.md with some information on how Allstar is being used in your organization.

Advanced

Configuration Definitions

Secondary Org-Level configuration location

By default, org-level configuration files, such as the allstar.yaml file above, are expected to be in a .allstar repository. If this repository does not exist, then the .github repository allstar directory is used as a secondary location. To clarify, for allstar.yaml:

Precedence Repository Path
Primary .allstar allstar.yaml
Secondary .github allstar/allstar.yaml

This is also true for the org-level configuration files for the individual policies, as described below.

Repo policy configurations in the Org Repo

Allstar will also look for repo-level policy configurations in the organization's .allstar repository, under the directory with the same name as the repository. This configuration is used regardless of whether "repo override" is disabled.

For example, Allstar will lookup the policy configuration for a given repo myapp in the following order:

Repository Path Condition
myapp .allstar/branch_protection.yaml When "repo override" is allowed.
.allstar myapp/branch_protection.yaml All times.
.allstar branch_protection.yaml All times.
.github allstar/myapp/branch_protection.yaml If .allstar repo does not exist.
.github allstar/branch_protection.yaml If .allstar repo does not exist.

Org-level Base and Merge Configuration Location

For org-level Allstar and policy configuration files, you may specify the field baseConfig to specify another repository that contains base Allstar configuration. This is best explained with an example.

Suppose you have multiple GitHub organizations, but want to maintain a single Allstar configuration. Your main organization is "acme", and the repository acme/.allstar contains allstar.yaml:

optConfig:
  optOutStrategy: true
issueLabel: allstar-acme
issueFooter: Issue created by Acme security team.

You also have a satellite GitHub organization named "acme-sat". You want to re-use the main config, but apply some changes on top by disabling Allstar on certain repositories. The repository acme-sat/.allstar contains allstar.yaml:

baseConfig: acme/.allstar
optConfig:
  optOutRepos:
  - acmesat-one
  - acmesat-two

This will use all the config from acme/.allstar as the base config, but then apply any changes in the current file on top of the base configuration. The method this is applied is described as a JSON Merge Patch. The baseConfig must be a GitHub <org>/<repository>.

Contributing

See CONTRIBUTING.md

Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Starred
0
Star
0
Fork
0

简介

暂无描述 展开 收起
暂无标签
/mirrors_ossf/allstar
Go 等 2 种语言
Go
99.9%
Shell
0.1%
Apache-2.0
使用 Apache-2.0 开源许可协议
取消

发行版

暂无发行版

贡献者

全部

近期动态

加载更多
不能加载更多了
1
https://gitee.com/mirrors_ossf/allstar.git
git@gitee.com:mirrors_ossf/allstar.git
mirrors_ossf
allstar
allstar
main
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部