Allstar is a GitHub app that provides automated continuous enforcement of security checks such as the OpenSSF Security Scorecards. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously implement those enforcement actions when triggered by a setting or file change in the org or repo.
Security Scorecards is an automated tool that assesses several key heuristics ("checks") associated with software security and assigns each check a score of 0-10. These scores can be used to evaluate the security posture of the project and help assess the risks introduced by dependencies.
Scorecards have been enabled on the following open source repositories, prioritized by their criticality score.
- Pinned Dependencies: The project should pin its dependencies. A "pinned dependency" is a dependency that is explicitly set to a specific hash instead of allowing a mutable version or range of versions. This reduces several security risks related to dependencies.
- Token Permissions: The project's automated workflow tokens should be set to read-only by default. This follows the principle of least privilege.
- Branch Protection: Github project's default and release branches should be protected with GitHub's branch protection settings. Branch protection allows maintainers to define rules that enforce certain workflows for branches, such as requiring review or passing certain status.
- Code Review: The project should enforce a code review before pull requests (merge requests) are merged.
- Dependency update tool: A dependency update tool should be used by the project to identify and update outdated and insecure dependencies.
- Binary-Artifacts: The project should not have generated executable (binary) artifacts in the source repository. Embedded binary artifacts in the project cannot be reviewed, allowing possible obsolete or maliciously subverted executables in the source code.
Learnings and Best Practices
- AllStar and Scorecards allowed Dart and Flutter to quickly identify areas of opportunity to improve security across hundreds of repositories triggering the removal of binaries, standardizing branch protection and enforcing code reviews.
- Standardizing third-party dependency management and running vulnerability scanning were identified as the next milestones in the Dart and Flutter journey to improve their overall security posture.
- It is safer to not embed binary artifacts in your code. However, there are cases when this is unavoidable.
- It is important to track your dependencies and to keep them up to date using tools like Dependabot.
By Khyati Mehta, Technical Program Manager – Dart-Flutter