GitHub App to set and enforce security policies
Images:
ghcr.io/ossf/allstar:v3.0
Branch Protection policy is more complete with support for requireSignedCommits, enforceOnAdmins, requireCodeOwnerReviews. Link
You may now opt-out repos that are forks with the optOutForkedRepos option.
GitHub Actions policy added to allow/require/deny configured actions in workflows. Docs
Generic Scorecard policy added to run any Scorecard check with a score threshold. Docs
Issue creation and pinging can be enabled / disabled based on a weekly schedule. Link
The Outside Collaborators policy now allows exemptions. Link
When the Allstar action is changed from issue to fix. Existing issues will be closed.
Issue ping duration is configurable at the operator level with NOTICE_PING_DURATION_HOURS. Link
Org config may now point to a secondary repository for config and merge overrides. Docs
Individual repo config files are now allowed to be placed in the central org config repository. Example: in the .allstar repo, you can have a
Binary Artifacts policy configuration updated to have an ignore list. Link
Dangerous Workflow policy added. This policy checks the GitHub Actions workflow configuration files (.github/workflows), for any patterns that match known dangerous behavior. Docs
ghcr.io/ossf/allstar:v2.0