SECURITY
SECURITY
SECURITY
Google announces the Allstar GitHub app for continuous enforcement of best security practices
Google LLC debuted the Allstar GitHub application today, enabling what it calls automated continuous enforcement of security best practices in GitHub projects.
The new app works by enabling project owners on the GitHub code repository to check for security policy adherence, set desired enforcement actions and then continuously enforce those policies when they’re triggered, for example by a setting or a file change in the project’s repository.
The Allstar app is a companion to another Google-backed, open-source tool called Scorecards, which automatically assesses risks to any GitHub repository and its dependencies.
As Mike Maraya, Google’s senior program manager for security, and Google scholar Jeff Mendoza wrote in a co-authored blog post, Scorecards is used to check key heuristics such as whether or not a project uses branch protection, cryptographically signs release artifacts or requires code review. It generates scores for each category to help users understand which areas might need improvement.
Maraya and Mendoza explained that Allstar can take over from that point, giving project maintainers an easier way to enable automated enforcement of specific security checks. So if a repository fails any check that’s enabled, Allstar will automatically intervene and make whatever changes it deems necessary to remediate the problem. The idea is to make life easier for developers, since they won’t need to dive in and fix every little issue by themselves.
“In short, Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there,” Maraya and Mendoza said.
Allstar currently enables enforcement actions in a limited range of areas around branch protection, which sets the requirements a collaborator must have before they can push changes to a specific branch in a project repository. It can also enforce some types of security policy files, including defined policies for responsible vulnerability disclosure to help maintainers fix any issues before they’re made public.
Maraya and Mendoza said many more capabilities are on the way too, including automated dependency updates and enforcements that will protect against compromised dependency releases making their way into a project.
Image: Google
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
