Google’s new GitHub app provides automated enforcement of best security practices

Secure your GitHub projects with Google and OpenSFF’s new app

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Googleand OpenSSF have released a new app called Allstar which provides automated continuous enforcement of security best practices forGitHubprojects.

As a member of theopen source software(OSS) community, the search giant is well aware of the growing threat posed bysoftware supply chain attacksagainst open source projects and Allstar is its latest effort to improve their security.

With Allstar, GitHub project owners can check for security policy adherence, set desired enforcement actions and continuously enact those enforcements when triggered b a setting or file change in the organization or project repository according to a new blog post from OpenSFF.

By using this new GitHub app, the open source community can proactively reduce security risk while adding as little friction as possible to their workflows.

Allstar app

Allstar app

Allstar is a companion to Google and the OpenSFF’s automated toolScorecardswhich assesses risks to a repository and its dependencies.

While Security Scorecards check a number of important heuristics to provide a score to help users understand specific areas to improve in order to strengthen the security posture of their projects, Allstar allows maintainers to opt into automated enforcement of specific checks. However, if a repository fails an enabled check, Allstar intervenes to make the necessary changes to remediate the issue.

Allstar itself works by continuously checking expected GitHub API states and repository file contents such as repository settings, branch settings and workflow settings against defined security policies and applying enforcement actions (filing issues, changing settings) when expected states do not match the policies.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Although OpenSFF runs its own Allstar instance that anyone can install and use, GitHub project owners can also create and run their own instances for security or customization reasons.

To get started with Allstar, GitHub project owners caninstall the Allstar app hereand use thesequick start instructionsto configure it.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time