From f2591bd446a27ab95c41c77bf7c3628b45017aa2 Mon Sep 17 00:00:00 2001 From: EjiroLaurelD Date: Thu, 5 Oct 2023 19:15:09 +0100 Subject: [PATCH] document recommendation for allstar, issue #12 --- allstar.md | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/allstar.md b/allstar.md index eda1dab..ad30842 100644 --- a/allstar.md +++ b/allstar.md @@ -1,20 +1,35 @@ I have investigated what Allstar is about, it's capabilities and how it aligns with the needs of this project as inidicated in the checklist in issue #12. -I found out that Allstar is a Security Policy for open source projects which canhelp to ensure that all repositories have a -1. Security policy -2. Scan all repos for common vulnerabilitie -3. Enforce best practices for code reviews and, -4. Require security testing for all releases. I am unsure how to proceed from here. +Allstar is a security policy engine that helps organizations automate and enforce security best practices. Allstar can be used to scan code, dependencies, andinfrastructure for vulnerabilities. Allstar can also be used to enforce best practices for code reviews, security testing, and vulnerability management. -## The items that needs to be configured manaully include; -1. Private vulnerability reporting +##Based on the checklist on issue #12, All star can cover everything on the checklist. -## The steps needed to enable allstar app includes, +- CodeQL enabled via GitHub Actions: Allstar can be integrated with GitHub Actions to automatically scan code for vulnerabilities using CodeQL. +- Static code analysis: Allstar can be integrated with govulncheck to automatically scan Go code for vulnerabilities. +- Repository security settings: Allstar can be used to enforce security settings for repositories, such as requiring a security policy and enabling security advisories. +- Dependabot alerts: Allstar can be integrated with Dependabot to automatically scan dependencies for vulnerabilities. +- Code scanning alerts: Allstar can be integrated with code scanning tools to automatically scan code for vulnerabilities. + +## Items that still needs to be manually configured in individual repositories +- Security Policies +- Security advisories +- Private vulnerabilty reporting +- Dependabot alerts +- Code scanning alerts + +###Allstar can also configure the following that were not listed on the checklist +- Branch protection +- Security testing +- Code review requirements + +## The steps needed to enable Allstar app across organisation includes; 1. Install the Allstar GitHub app. - 2. Open the installation page and click Configure -If you have multiple organizations, select the one you want to install Allstar on + 2. Open the [installation page](https://github.com/apps/allstar-app) and click Configure. If you have multiple organizations, select the one you want to install Allstar on 3. Select "All Repositories" under Repository Access, even if you plan to disable Allstar on some repositories later -4. Fork the sample repository +4. Fork the [sample repository](https://github.com/jeffmendoza/dot-allstar-quickstart) 5. Open the sample repository and click the "Use this template" button -6. In the field for Repository Name, type .allstar +6. In the field for Repository Name, type `.allstar` 7. Click "Create repository from template" -https://github.com/ossf/allstar/blob/main/manual-install.md +That's it! All current Allstar [policies](https://github.com/ossf/allstar?installation_id=42556888&setup_action=install#policies) are now enabled on all your repositories. Allstar will create an issue if a policy is violated. +To change any configurations, see the [manual installation directions](https://github.com/ossf/allstar/blob/main/manual-install.md). + +