-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
30 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| #Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to: | ||
| *CodeQL enabled via GitHub Actions: | ||
| "Allstar" can help automate CodeQL analysis as part of your GitHub Actions workflow. You would need to configure "Allstar" to include CodeQL checks in your repository's workflow file. | ||
|
|
||
| *Static code analysis: govulncheck enabled on every build: | ||
| "Allstar" may not directly provide Go vulnerability scanning like govulncheck. You may need to continue using govulncheck separately or look for alternative GitHub Actions or tools to cover this specific | ||
| need. | ||
|
|
||
| *Repository security settings: | ||
| The settings for Security Policy, Security advisories, Private vulnerability reporting, and Dependabot alerts are usually managed at the repository level through the GitHub user interface. "Allstar" does not have the capability to directly configure these settings, but it can be useful for monitoring and providing reports on their current status. | ||
|
|
||
| *Code scanning alerts: While "Allstar" can integrate with GitHub's code scanning feature and deliver alerts, it's important to note that the setup and management of code scanning workflows, as well as the handling of alerts, might necessitate manual configuration in each repository. | ||
|
|
||
| * let's propose steps to enable "Allstar" across your organization and open issues in the appropriate repositories: | ||
|
|
||
| Enable "Allstar" Across the Organization: | ||
| First, determine if "Allstar" is already set up in your organization. If not, you can set it up as a GitHub App with appropriate permissions. | ||
| Configure "Allstar" to integrate with the organization's repositories. | ||
|
|
||
| Configure "Allstar" for Security Checks: | ||
| Create or configure "Allstar" checks that align with your organization's security policies. | ||
| Ensure that "Allstar" runs as part of your GitHub Actions workflows for code scanning and security checks. | ||
|
|
||
| Open Issues in Repositories: | ||
| Use "Allstar" to scan and identify repositories that do not meet the security checklist requirements. | ||
| For repositories that need manual configuration, open issues with detailed instructions on what needs to be done to align with the security checklist items. | ||
|
|
||
| *Documentation in Security SIG Repository: | ||
| Document the usage of "Allstar" in your organization's Security SIG repository. | ||
| Include instructions on how to configure "Allstar" for security checks and provide guidance on interpreting its reports. |