Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate Allstar for monitoring organization-wide policies #21

Open
codeboten opened this issue Oct 4, 2023 · 10 comments
Open

Investigate Allstar for monitoring organization-wide policies #21

codeboten opened this issue Oct 4, 2023 · 10 comments
Assignees
@sakshi-1505

Comments

@codeboten
Copy link
Contributor 

          We should consider [Allstar](https://github.com/ossf/allstar) for monitoring [organization-wide policies](https://github.com/ossf/allstar#org-level-options). The [quickstart](https://github.com/ossf/allstar#quickstart-installation) may meet our needs

Originally posted by @JonZeolla in #12 (comment)
@codeboten
Copy link
Contributor Author

In issue #12, i proposed the following checklist to audit all the organization's repositories:

  • CodeQL enabled via GitHub Actions
  • Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build
  • Repository security settings
    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

@oly-baby
Copy link

oly-baby commented Oct 5, 2023

Good day,

pls can i work on this

@jpkrohling
Copy link
Member

Hi @oly-baby, sure! Please take a look at a comment I left here: #12 (comment)

@Davidlred
Copy link

@codeboten could you please throw more light on the checklist you made, is the job description just to check what can be done, also how complex should the documentation be?

@jpkrohling
Copy link
Member

@Davidlred, the checklist is a simple "yes, the item is present in the repository" or "no, there's no usage of the proposed tool". No further documentation is needed other than checking whether the items are being used.

@Davidlred
Copy link

Davidlred commented Oct 5, 2023 via email

EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 5, 2023
@EjiroLaurelD
document recommendation for allstar issue open-telemetry#21
2f219ec
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 16, 2023
@EjiroLaurelD
allstar usecase(open-telemetry#21)
dcc4ef4
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 17, 2023
@EjiroLaurelD
allstar usecase (openTelemetry open-telemetry#21)
b291149
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 17, 2023
@EjiroLaurelD
fixed file name open-telemetry#21
a39de92
EjiroLaurelD added a commit to EjiroLaurelD/sig-security that referenced this issue Oct 17, 2023
@EjiroLaurelD
change file name (open-telemetry#21)
371b68b
This was referenced Oct 21, 2023
Closed
Closed
This was referenced Oct 23, 2023
Open
Closed
@EjiroLaurelD
Copy link
Contributor

In issue #12, i proposed the following checklist to audit all the organization's repositories:

  • CodeQL enabled via GitHub Actions

  • Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build

  • Repository security settings

    • Security Policy ✅
    • Security advisories ✅
    • Private vulnerability reporting ✅
    • Dependabot alerts ✅
    • Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

  • determine how much of the checklist allstar can cover
  • what items on the checklist above still need to be manually configured in individual repositories
  • propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
  • document the usage of allstar in the security sig repository

I have determined what Allstar can cover using the checklist that was provided, the steps to enable allstar has also been proposed using the quick start (I did a test run on my github to be sure how it works).
I created issues on some repositories using the checklist, checking and confirming from maintainers what is enabled on the repo. I have gotten responses from these two repos so far community and Helm-charts
The usage of allstar in the security-sig repository has been documented here

@Twhite2
Copy link

Twhite2 commented Oct 24, 2023

In line with the requirements of this issue, and using the checklist provided. I've been able to gather information through simple testing along with studying the reviews of the different documentation. I've been able to compile a detailed report on the use of Allstar, including how to get started HERE.

@sakshi-1505
Copy link

/assign

@sakshi-1505 sakshi-1505 mentioned this issue Dec 6, 2023
Closed
@codeboten
Copy link
Contributor Author

Assigned, thanks @sakshi-1505!

@sakshi-1505 sakshi-1505 mentioned this issue Jan 13, 2024
Closed
@sakshi-1505 sakshi-1505 mentioned this issue Jan 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sakshi-1505 sakshi-1505

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jpkrohling @codeboten @Twhite2 @EjiroLaurelD @Davidlred @oly-baby @sakshi-1505