Today, security vulnerabilities are increasingly plaguing large open source projects. According to RiskSense statistics, the number of open source software vulnerabilities more than doubled in 2019 compared to 2018. Considering that nearly 91 percent of commercial applications contain outdated or deprecated open source components, the impact of security vulnerabilities is far-reaching.
As a member of the open source software community, Google is well aware of the growing threat to open source projects posed by software supply chain attacks, and Allstar is its latest tool to improve security.
Allstar is an application that provides automatic and continuous enforcement of security best practices for GitHub projects. This new app works by allowing project owners in the GitHub repository to check for compliance with security policies, set the required enforcement actions, and then continuously enforce those actions when settings or files in the project repository change。
Allstar is a companion product to Scorecards, another open source tool also maintained by Google, which automatically assesses the risk of any GitHub repository and its dependencies. scorecards checks for heuristics such as whether the project uses branch protection, cryptographically signed release artifacts, or requires code review, and generates a score for each category, and generates an evaluated score for each category to help users understand what areas might need improvement.
Allstar, on the other hand, can take over on this basis, giving project maintainers an easier way to automate the execution of specific security checks. Thus, if any repository fails a security check, Allstar automatically steps in and makes the fixes it deems necessary to resolve the issue. With this program it is possible to free developers from the daily repetition of checking and fixing.
Allstar Initial Security Policy Check/Implementation includes.
- Branch protection (for unauthorized pull requests, forced pushes, etc.).
- The existence of a SECURITY.md file that contains defined policies for responsible vulnerability disclosure.
- Enforcement of specific requirements for external collaborators (for example, users with warehouse administrator privileges must be members of the organization).
- Detection and alerting if binary artifacts are found in the repository.
The number of security policy checks that Allstar can perform is currently limited, and Google plans to roll out more policies over the next few months – including freezing dependencies and automatically updating dependencies.
Mike Maraya, Senior Program Manager at Google, said.
“In short, Scorecards help developers measure the current security status of their projects against the ultimate goals they want to achieve, and Allstar helps you get there. allstar is still in the early stages of development, so we welcome active use and feedback in the community.”
Interested developers can visit Allstat’s GitHub page for more details.