Google LLC debuted the Allstar GitHub application today, enabling what it calls automated continuous enforcement of security best practices in GitHub projects.

The new app works by enabling project owners on the GitHub code repository to check for security policy adherence, set desired enforcement actions and then continuously enforce those policies when they’re triggered, for example by a setting or a file change in the project’s repository.

The Allstar app is a companion to another Google-backed, open-source tool called Scorecards, which automatically assesses risks to any GitHub repository and its dependencies.

As Mike Maraya, Google’s senior program manager for security, and Google scholar Jeff Mendoza wrote in a co-authored blog post, Scorecards is used to check key heuristics such as whether or not a project uses branch protection, cryptographically signs release artifacts or requires code review. It generates scores for each category to help users understand which areas might need improvement.

Maraya and Mendoza explained that Allstar can take over from that point, giving project maintainers an easier way to enable automated enforcement of specific security checks. So if a repository fails any check that’s enabled, Allstar will automatically intervene and make whatever changes it deems necessary to remediate the problem. The idea is to make life easier for developers, since they won’t need to dive in and fix every little issue by themselves.

“In short, Security Scorecards helps you measure your current security posture against where you want to be; Allstar helps you get there,” Maraya and Mendoza said.

Allstar currently enables enforcement actions in a limited range of areas around branch protection, which sets the requirements a collaborator must have before they can push changes to a specific branch in a project repository. It can also enforce some types of security policy files, including defined policies for responsible vulnerability disclosure to help maintainers fix any issues before they’re made public.

Maraya and Mendoza said many more capabilities are on the way too, including automated dependency updates and enforcements that will protect against compromised dependency releases making their way into a project.

Image: Google