Skip to content
This repository has been archived by the owner on Jan 20, 2025. It is now read-only.

[pull] main from ossf:main #104

Open
wants to merge 88 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 76 commits
Commits
Show all changes
88 commits
Select commit Hold shift + click to select a range
eb99bd4
.github: Add initial CODEOWNERS
justaugustus Jul 1, 2024
c3b98e3
Bump github.com/hashicorp/go-retryablehttp in the go_modules group
dependabot[bot] Jun 24, 2024
4c1aa07
Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.10.0 to 2.11.0
dependabot[bot] May 31, 2024
a23f50d
Bump ko-build/setup-ko from 0.6 to 0.7
dependabot[bot] Jun 18, 2024
398db45
Bump golangci/golangci-lint-action from 4 to 6
dependabot[bot] Jul 2, 2024
8172222
Bump ossf/scorecard-action from 2.1.3 to 2.3.3
dependabot[bot] May 10, 2024
ae7f629
Bump sigstore/cosign-installer from 3.4.0 to 3.5.0
dependabot[bot] May 3, 2024
7939932
Bump github.com/rs/zerolog from 1.32.0 to 1.33.0
dependabot[bot] May 23, 2024
9adcbec
Bump github.com/rhysd/actionlint from 1.6.27 to 1.7.1
dependabot[bot] Jul 2, 2024
a10a639
[StepSecurity] ci: Harden GitHub Actions
step-security-bot Jul 2, 2024
8751603
Bump actions/setup-go from 4.0.1 to 5.0.1
dependabot[bot] Jul 2, 2024
dd0a6d4
Bump actions/checkout from 4.1.1 to 4.1.7
dependabot[bot] Jul 2, 2024
5d71b29
go.mod: Update Scorecard to v5.0.0-rc2
justaugustus Jul 2, 2024
c66f943
.github: Create codeql.yml
justaugustus Jul 2, 2024
9bcc5c7
CodeQL: Dedupe post-merge configs, pin SHAs, strip add'l permissions
justaugustus Jul 2, 2024
e329fdf
docs: Correct instances of "Security Scorecards" to "OpenSSF Scorecard"
justaugustus Jul 2, 2024
3ff8fdf
README: Correct Scorecard API URL
justaugustus Jul 2, 2024
c6ddfbd
Bump actions/upload-artifact from 4.3.3 to 4.3.4
dependabot[bot] Jul 8, 2024
dfc5f57
Bump actions/setup-go from 5.0.1 to 5.0.2
dependabot[bot] Jul 11, 2024
a70d55b
Bump github/codeql-action from 3.25.11 to 3.25.12
dependabot[bot] Jul 12, 2024
3b9c886
Bump actions/dependency-review-action from 4.3.3 to 4.3.4
dependabot[bot] Jul 12, 2024
a89f5bc
Bump github/codeql-action from 3.25.12 to 3.25.13
dependabot[bot] Jul 22, 2024
e63e249
Bump github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0
dependabot[bot] Jul 22, 2024
38d990d
go.mod: Update `go` directive to go1.12.12
justaugustus Jul 22, 2024
e1316aa
Bump github/codeql-action from 3.25.13 to 3.25.14
dependabot[bot] Jul 25, 2024
434ff60
Bump gocloud.dev from 0.37.0 to 0.38.0
dependabot[bot] Jul 26, 2024
5d4062e
Bump github/codeql-action from 3.25.14 to 3.25.15
dependabot[bot] Jul 28, 2024
07cd81d
Bump ossf/scorecard-action from 2.3.3 to 2.4.0
dependabot[bot] Jul 28, 2024
df60525
Bump golangci/golangci-lint-action from 6.0.1 to 6.1.0
dependabot[bot] Jul 30, 2024
5e6dd6d
Bump actions/upload-artifact from 4.3.4 to 4.3.5
dependabot[bot] Aug 5, 2024
5c9ebc9
Bump golang.org/x/sync from 0.7.0 to 0.8.0
dependabot[bot] Aug 5, 2024
8c554f6
Bump sigstore/cosign-installer from 3.5.0 to 3.6.0
dependabot[bot] Aug 8, 2024
2a29177
Bump actions/upload-artifact from 4.3.5 to 4.3.6
dependabot[bot] Aug 7, 2024
904b98b
Bump github/codeql-action from 3.25.15 to 3.26.0
dependabot[bot] Aug 7, 2024
2876086
Bump gocloud.dev from 0.38.0 to 0.39.0
dependabot[bot] Aug 15, 2024
7a8bc67
Bump github.com/Masterminds/semver/v3 from 3.2.1 to 3.3.0
dependabot[bot] Aug 28, 2024
95b6e08
Bump actions/upload-artifact from 4.3.6 to 4.4.0
dependabot[bot] Sep 2, 2024
826fb08
Bump github/codeql-action from 3.26.0 to 3.26.7
dependabot[bot] Sep 16, 2024
05123ba
Bump github/codeql-action from 3.26.7 to 3.26.8
dependabot[bot] Sep 19, 2024
2ee59a2
Bump github.com/rhysd/actionlint from 1.7.1 to 1.7.2
dependabot[bot] Sep 24, 2024
4b1d421
Support globs for optOut/optInRepos
coheigea Sep 24, 2024
4599160
Bump github/codeql-action from 3.26.8 to 3.26.9
dependabot[bot] Sep 25, 2024
8649289
feat: add support for GitHub enterprise
SebastianBezold Aug 13, 2024
68d2f55
fix: ensure correct enterprise API URLs for GraphQL + http client
SebastianBezold Aug 15, 2024
3cc20f3
docs: add hints on GHE operating specifics
SebastianBezold Aug 15, 2024
ca25e17
chore: adapt GH_HOST env variable comment
SebastianBezold Sep 11, 2024
38c2e3b
fix: handle errors when creating gh client transport
SebastianBezold Sep 11, 2024
92def9f
Bump github.com/rhysd/actionlint from 1.7.2 to 1.7.3
dependabot[bot] Sep 30, 2024
b9b31db
Bump golangci/golangci-lint-action from 6.1.0 to 6.1.1
dependabot[bot] Oct 3, 2024
7b8f10b
Bump sigstore/cosign-installer from 3.6.0 to 3.7.0
dependabot[bot] Oct 4, 2024
a8b3a63
Bump actions/upload-artifact from 4.4.0 to 4.4.1
dependabot[bot] Oct 8, 2024
f3b33ce
Bump github/codeql-action from 3.26.9 to 3.26.12
dependabot[bot] Oct 8, 2024
fa99b6b
Bump actions/checkout from 4.1.7 to 4.2.1
dependabot[bot] Oct 8, 2024
7dc3b08
Bump actions/upload-artifact from 4.4.1 to 4.4.2
dependabot[bot] Oct 9, 2024
f3c9f4f
Bump actions/upload-artifact from 4.4.2 to 4.4.3
dependabot[bot] Oct 10, 2024
47b8cb1
Bump gocloud.dev from 0.39.0 to 0.40.0
dependabot[bot] Oct 11, 2024
6507a6c
Bump github/codeql-action from 3.26.12 to 3.26.13
dependabot[bot] Oct 14, 2024
9f5fb01
Update scorecard interface to use scorecard.Run()
jeffmendoza Oct 8, 2024
1710550
Bump actions/dependency-review-action from 4.3.4 to 4.3.5
dependabot[bot] Oct 22, 2024
df6cc16
Bump actions/setup-go from 5.0.2 to 5.1.0
dependabot[bot] Oct 25, 2024
2fd0ec5
Bump actions/dependency-review-action from 4.3.5 to 4.4.0
dependabot[bot] Oct 29, 2024
5525a93
Bump github/codeql-action from 3.26.13 to 3.27.0
dependabot[bot] Oct 23, 2024
107c973
Bump actions/checkout from 4.2.1 to 4.2.2
dependabot[bot] Nov 2, 2024
ff2ddb3
document CODEOWNERS policy in README
markdboyd Nov 8, 2024
b863d2b
Bump github.com/rhysd/actionlint from 1.7.3 to 1.7.4
dependabot[bot] Nov 4, 2024
a8c730f
Bump golang.org/x/sync from 0.8.0 to 0.9.0
dependabot[bot] Nov 8, 2024
d5800d3
Bump github.com/golang-jwt/jwt/v4 in the go_modules group
dependabot[bot] Nov 8, 2024
a4813b2
Bump github/codeql-action from 3.27.0 to 3.27.1
dependabot[bot] Nov 11, 2024
24c6ada
Bump github/codeql-action from 3.27.1 to 3.27.4
dependabot[bot] Nov 15, 2024
8a6fbdf
Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.11.0 to 2.12.0
dependabot[bot] Nov 13, 2024
dd40517
Bump actions/dependency-review-action from 4.4.0 to 4.5.0
dependabot[bot] Nov 21, 2024
b5a8d4a
Bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1
dependabot[bot] Nov 20, 2024
81e9d7a
Bump github/codeql-action from 3.27.4 to 3.27.5
dependabot[bot] Nov 21, 2024
f92c72c
Bump golang.org/x/sync from 0.9.0 to 0.10.0
dependabot[bot] Dec 5, 2024
3f9627a
Bump github/codeql-action from 3.27.5 to 3.27.7
dependabot[bot] Dec 10, 2024
00e2013
build(deps): bump golang.org/x/crypto in the go_modules group
dependabot[bot] Dec 17, 2024
e775a1d
build(deps): bump actions/setup-go from 5.1.0 to 5.2.0
dependabot[bot] Dec 11, 2024
b00098d
build(deps): bump github/codeql-action from 3.27.7 to 3.27.9
dependabot[bot] Dec 13, 2024
b1e2230
Build container images for both amd64 and arm64 platforms
blockmar Dec 18, 2024
13447b7
build(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0
dependabot[bot] Dec 18, 2024
5cb10d4
build(deps): bump the go_modules group with 2 updates
dependabot[bot] Jan 6, 2025
400285a
build(deps): bump github.com/bradleyfalzon/ghinstallation/v2
dependabot[bot] Jan 25, 2025
2d0c842
build(deps): bump github.com/rhysd/actionlint from 1.7.4 to 1.7.7
dependabot[bot] Jan 25, 2025
87bc292
build(deps): bump github/codeql-action from 3.27.9 to 3.28.5
dependabot[bot] Jan 25, 2025
369201c
build(deps): bump actions/setup-go from 5.2.0 to 5.3.0
dependabot[bot] Jan 21, 2025
5aa5340
build(deps): bump golangci/golangci-lint-action from 6.1.1 to 6.2.0
dependabot[bot] Jan 17, 2025
93304b3
build(deps): bump ko-build/setup-ko from 0.7 to 0.8
dependabot[bot] Jan 16, 2025
7f673ca
build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0
dependabot[bot] Jan 10, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# CODEOWNERS reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners

# These owners will be the default owners for everything in
# the repo. Unless a later match takes precedence,
# the following users/teams will be requested for
# review when someone opens a pull request.
* @ossf/allstar-maintainers
75 changes: 75 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '18 13 * * 6'

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (github.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

strategy:
fail-fast: false
matrix:
include:
- language: go
build-mode: autobuild
# CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

# If the analyze step fails for one of the languages you are analyzing with
# "We were unable to automatically build your code", modify the matrix above
# to set the build mode to "manual" for that language. Then modify this step
# to build your code.
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
- if: matrix.build-mode == 'manual'
shell: bash
run: |
echo 'If you are using a "manual" build mode for one or more of the' \
'languages you are analyzing, replace this with the commands to build' \
'your code, for example:'
echo ' make bootstrap'
echo ' make release'
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
with:
category: "/language:${{matrix.language}}"
17 changes: 4 additions & 13 deletions .github/workflows/postmerge.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,28 +7,19 @@ permissions:
contents: read
security-events: write
jobs:
codeql:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with:
languages: go
- uses: github/codeql-action/autobuild@v3
- uses: github/codeql-action/analyze@v3
scorecard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ossf/scorecard-action@v2.1.3
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
- uses: github/codeql-action/upload-sarif@v3
- uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
with:
sarif_file: results.sarif
18 changes: 9 additions & 9 deletions .github/workflows/pr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,28 +6,28 @@ jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: '1.21'
check-latest: true
- uses: golangci/golangci-lint-action@v4
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
args: --timeout 3m --verbose
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: '1.21'
check-latest: true
- run: go build -v ./...
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: '1.21'
check-latest: true
Expand All @@ -36,5 +36,5 @@ jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
8 changes: 4 additions & 4 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,16 @@ jobs:
release:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: '1.21'
check-latest: true

- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7

- run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.workflow }} --password-stdin

Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@ cmd/allstar/allstar
*.pem
.vscode
allstar.ref
.idea/
60 changes: 36 additions & 24 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/allstar/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/allstar)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ossf/allstar/badge)](https://api.scorecard.dev/projects/github.com/ossf/allstar)

<img align="right" src="artwork/openssf_allstar_alt.png" width="300" height="400">

Expand All @@ -14,7 +14,7 @@

## Disabling Unwanted Issues

- [Help! I'm getting issues created by Allstar and I don't want them!](#disabling-unwanted-issues-1)
- [Help! I'm getting issues created by Allstar and I don't want them!](#disabling-unwanted-issues-1)

## Getting Started

Expand Down Expand Up @@ -59,18 +59,18 @@ Allstar is developed as a part of the [OpenSSF Scorecard](https://github.com/oss
## [What's new with Allstar](whats-new.md)

## Disabling Unwanted Issues
If you're getting unwanted issues created by Allstar, follow [these directions](opt-out.md) to opt out.
If you're getting unwanted issues created by Allstar, follow [these directions](opt-out.md) to opt out.

## Getting Started

### Background

Allstar is highly configurable. There are three main levels of controls:
Allstar is highly configurable. There are three main levels of controls:

- **Org level**: Organization administrators can choose to enable Allstar on:
- all repositories in the org;
- most repositories, except some that are opted out;
- just a few repositories that are opted in.
- **Org level**: Organization administrators can choose to enable Allstar on:
- all repositories in the org;
- most repositories, except some that are opted out;
- just a few repositories that are opted in.

These configurations are done in the organization's `.allstar` repository.

Expand All @@ -84,26 +84,30 @@ These configurations are done in the organization's `.allstar` repository.
are enabled on specific repos and which actions Allstar takes when a policy
is violated. These configurations are done in a policy yaml file in either
the organization's `.allstar` repository (admins), or the repository's
`.allstar` directory (maintainers).
`.allstar` directory (maintainers).

### Org-Level Options
### Org-Level Options

Before installing Allstar at the org level, you should decide approximately how many repositories
you want Allstar to run on. This will help you choose between the Opt-In and
Opt-Out strategies.
Opt-Out strategies.

- The Opt In strategy allows you to manually add the repositories you'd
like Allstar to run on. If you do not specify any repositories, Allstar will
not run despite being installed. Choose the Opt In strategy if you want to enforce
policies on only a small number of your total repositories, or want to try
out Allstar on a single repository before enabling it on more.
out Allstar on a single repository before enabling it on more. Since the
v4.3 release, globs are supported to easily add multiple repositories with
a similar name.

- The Opt Out strategy (recommended) enables Allstar on all repositories
and allows you to manually select the repositories to opt out of Allstar
enforcements. You can also choose to opt out all public repos, or all
private repos. Choose this option if you want to run Allstar on all
repositories in an organization, or want to opt out only a small number of
repositories or specific type (i.e., public vs. private) of repository.
Since the v4.3 release, globs are supported to easily add multiple
repositories with a similar name.

<table>
<thead>
Expand Down Expand Up @@ -163,13 +167,13 @@ configured at the org level. </td>

Both the Quickstart and Manual Installation options involve installing the Allstar app. You may review the permissions requested. The app asks for read access to most settings and file contents to detect security compliance. It requests write access to issues and checks so that it can create issues and allow the `block` action.

#### Quickstart Installation
#### Quickstart Installation
This installation option will enable Allstar using the
Opt Out strategy on all repositories in your organization. All current policies
will be enabled, and Allstar will alert you of
policy violations by filing an issue. This is the quickest and easiest way to start using Allstar, and you can still change any configurations later.
policy violations by filing an issue. This is the quickest and easiest way to start using Allstar, and you can still change any configurations later.

Effort: very easy
Effort: very easy

Steps:

Expand All @@ -187,7 +191,7 @@ Steps:
1. Click "Create repository from template"

That's it! All current Allstar [policies](#policies) are now enabled on all
your repositories. Allstar will create an issue if a policy is violated.
your repositories. Allstar will create an issue if a policy is violated.

To change any configurations, see the [manual installation directions](manual-install.md).

Expand All @@ -198,12 +202,12 @@ option provides more granular control over configurations right from the start.

Effort: moderate

Steps:
Steps:
1) Install the [Allstar app](https://github.com/apps/allstar-app) (choose "All
Repositories" under Repository Access, even if you don't plan to use Allstar on
all your repositories)
2) Follow the [manual installation directions](manual-install.md) to create org-level or
repository-level Allstar config files and individual policy files.
all your repositories)
2) Follow the [manual installation directions](manual-install.md) to create org-level or
repository-level Allstar config files and individual policy files.

## Policies and Actions

Expand Down Expand Up @@ -289,6 +293,14 @@ binary artifact from the repository to achieve compliance. As the scorecard
results can be verbose, you may need to run [scorecard
itself](https://github.com/ossf/scorecard) to see all the detailed information.

### CODEOWNERS

This policy's config file is named `codeowners.yaml`, and the [config
definitions are
here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/codeowners#OrgConfig).

This policy checks for the presence of a [`CODEOWNERS` file](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) on your repositories.

### Outside Collaborators

This policy's config file is named `outside.yaml`, and the [config definitions
Expand Down Expand Up @@ -321,8 +333,8 @@ here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/workflow#OrgConfig

This policy checks the GitHub Actions workflow configuration files
(`.github/workflows`), for any patterns that match known dangerous
behavior. See the [Security Scorecards
Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow)
behavior. See the [OpenSSF Scorecard
documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow)
for more information on this check.

### Generic Scorecard Check
Expand All @@ -333,8 +345,8 @@ here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/scorecard#OrgConfi

This policy runs any scorecard check listed in the `checks` configuration. All
checks run must have a score equal or above the `threshold` setting. Please see
the [Security Scorecards
Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md)
the [OpenSSF Scorecard
documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md)
for more information on each check.

### GitHub Actions
Expand Down
Loading
Loading