Open melba-lopez opened 2 years ago
Allstar can be configured to enforce branch protection with 2+ reviews, and also the security policy check.
For anything that can be programatically detected, we would like to add to Allstar as a policy. Especially the first three, if there is an expected config file/workflow that we can look for, we can check that it is there and alert if not.
Dependabot can be setup at the org level like so: https://docs.github.com/en/code-security/getting-started/securing-your-organization#managing-dependabot-security-updates
@jeffmendoza thanks for this!! i lost track of this issue (and now it is on my radar again) :)
As a subgroup of OpenSSF, we must think about security first and foremost. I am recommending creating a standard for all of SLSA repositories, builds, and scanning. I know we won't get here overnight, but would be good to get started on some low hanging fruit! @slsa-framework @slsa-steering-committee
Proposal:
Several of our working group members are part of these OpenSSF projects and can help guide/lead implementation if there are issues. Important part is to get started where we can.