Investigate Allstar for monitoring organization-wide policies

[codeboten]

          We should consider [Allstar](https://github.com/ossf/allstar) for monitoring [organization-wide policies](https://github.com/ossf/allstar#org-level-options). The [quickstart](https://github.com/ossf/allstar#quickstart-installation) may meet our needs

Originally posted by @JonZeolla in https://github.com/open-telemetry/sig-security/issues/12#issuecomment-1699457358

[codeboten]

In issue #12, i proposed the following checklist to audit all the organization's repositories:

• [ ] CodeQL enabled via GitHub Actions
• [ ] Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build
• [ ] Repository security settings
  • [ ] Security Policy ✅
  • [ ] Security advisories ✅
  • [ ] Private vulnerability reporting ✅
  • [ ] Dependabot alerts ✅
  • [ ] Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

• determine how much of the checklist allstar can cover
• what items on the checklist above still need to be manually configured in individual repositories
• propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
• document the usage of allstar in the security sig repository

[oly-baby]

Good day,

pls can i work on this

[jpkrohling]

Hi @oly-baby, sure! Please take a look at a comment I left here: https://github.com/open-telemetry/sig-security/issues/12#issuecomment-1748630636

[Davidlred]

@codeboten could you please throw more light on the checklist you made, is the job description just to check what can be done, also how complex should the documentation be?

[jpkrohling]

@Davidlred, the checklist is a simple "yes, the item is present in the repository" or "no, there's no usage of the proposed tool". No further documentation is needed other than checking whether the items are being used.

[Davidlred]

Thank you for the clarification. i really appreciate

On Thu, 5 Oct 2023 at 14:28, Juraci Paixão Kröhling < @.***> wrote:

@Davidlred https://github.com/Davidlred, the checklist is a simple "yes, the item is present in the repository" or "no, there's no usage of the proposed tool". No further documentation is needed other than checking whether the items are being used.

— Reply to this email directly, view it on GitHub https://github.com/open-telemetry/sig-security/issues/21#issuecomment-1748901771, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZN2FISKXM4AQKD7PXYDQY3X52YY3AVCNFSM6AAAAAA5S2TN66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBYHEYDCNZXGE . You are receiving this because you were mentioned.Message ID: @.***>

[EjiroLaurelD]

In issue #12, i proposed the following checklist to audit all the organization's repositories:

• [ ] CodeQL enabled via GitHub Actions
• [ ] Static code analysis: govulncheck [https://pkg.go.dev/golang.org/x/vuln] enabled on every build

• [ ] Repository security settings

  • [ ] Security Policy ✅
  • [ ] Security advisories ✅
  • [ ] Private vulnerability reporting ✅
  • [ ] Dependabot alerts ✅
  • [ ] Code scanning alerts ✅

Allstar was proposed as a way to achieve consistency across the repositories in the org with regards to security policy. This issue is to:

• determine how much of the checklist allstar can cover
• what items on the checklist above still need to be manually configured in individual repositories
• propose the steps needed to enable allstar across the organization and open issues in the appropriate repositories
• document the usage of allstar in the security sig repository

I have determined what Allstar can cover using the checklist that was provided, the steps to enable allstar has also been proposed using the quick start (I did a test run on my github to be sure how it works). I created issues on some repositories using the checklist, checking and confirming from maintainers what is enabled on the repo. I have gotten responses from these two repos so far community and Helm-charts The usage of allstar in the security-sig repository has been documented here

[Twhite2]

In line with the requirements of this issue, and using the checklist provided. I've been able to gather information through simple testing along with studying the reviews of the different documentation. I've been able to compile a detailed report on the use of Allstar, including how to get started HERE.

[sakshi-1505]

/assign

[codeboten]

Assigned, thanks @sakshi-1505!