Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Allstar for monitoring organization-wide policies #21

Open
codeboten opened this issue Oct 4, 2023 · 10 comments
Open

Investigate Allstar for monitoring organization-wide policies #21

codeboten opened this issue Oct 4, 2023 · 10 comments
Assignees

Comments

@codeboten
Copy link
Contributor

          We should consider [Allstar](https://github.com/ossf/allstar) for monitoring [organization-wide policies](https://github.com/ossf/allstar#org-level-options). The [quickstart](https://github.com/ossf/allstar#quickstart-installation) may meet our needs

Originally posted by @JonZeolla in #12 (comment)

@codeboten
Copy link
Contributor Author

In issue open-telemetry/community#12, i proposed the following checklist to audit all the organization's repositories:

  • CodeQL enabled via GitHub Actions
  • Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build
  • Repository security settings
    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

@oly-baby
Copy link

oly-baby commented Oct 5, 2023

Good day,

pls can i work on this

@jpkrohling
Copy link
Member

Hi @oly-baby, sure! Please take a look at a comment I left here: #12 (comment)

@Davidlred
Copy link

@codeboten could you please throw more light on the checklist you made, is the job description just to check what can be done, also how complex should the documentation be?

@jpkrohling
Copy link
Member

@Davidlred, the checklist is a simple "yes, the item is present in the repository" or "no, there's no usage of the proposed tool". No further documentation is needed other than checking whether the items are being used.

@Davidlred
Copy link

Davidlred commented Oct 5, 2023 via email

EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 5, 2023
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 16, 2023
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 17, 2023
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 17, 2023
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 17, 2023
This was referenced Oct 23, 2023
@EjiroLaurelD
Copy link
Contributor

In issue open-telemetry/community#12, i proposed the following checklist to audit all the organization's repositories:

  • CodeQL enabled via GitHub Actions

  • Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build

  • Repository security settings

    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

I have determined what Allstar can cover using the checklist that was provided, the steps to enable allstar has also been proposed using the quick start (I did a test run on my github to be sure how it works).
I created issues on some repositories using the checklist, checking and confirming from maintainers what is enabled on the repo. I have gotten responses from these two repos so far community and Helm-charts
The usage of allstar in the security-sig repository has been documented here

@Twhite2
Copy link

Twhite2 commented Oct 24, 2023

In line with the requirements of this issue, and using the checklist provided. I've been able to gather information through simple testing along with studying the reviews of the different documentation. I've been able to compile a detailed report on the use of Allstar, including how to get started HERE.

@sakshi-1505
Copy link

/assign

@codeboten
Copy link
Contributor Author

Assigned, thanks @sakshi-1505!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants