{"id":39076493,"url":"https://github.com/cloud-gov/.allstar","last_synced_at":"2026-01-17T18:27:03.900Z","repository":{"id":137101961,"uuid":"499533542","full_name":"cloud-gov/.allstar","owner":"cloud-gov","description":"Allstar configuration files","archived":false,"fork":false,"pushed_at":"2025-01-16T17:11:20.000Z","size":45,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-16T18:31:56.251Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"jeffmendoza/dot-allstar-quickstart","license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloud-gov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"codeowners.yaml","security":"security.yaml","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-03T14:03:36.000Z","updated_at":"2024-11-08T19:17:00.000Z","dependencies_parsed_at":null,"dependency_job_id":"5b3a0136-3c36-42d1-8671-b08f6bf9bcf0","html_url":"https://github.com/cloud-gov/.allstar","commit_stats":null,"previous_names":[],"tags_count":0,"template":true,"template_full_name":null,"purl":"pkg:github/cloud-gov/.allstar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2F.allstar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2F.allstar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2F.allstar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2F.allstar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloud-gov","download_url":"https://codeload.github.com/cloud-gov/.allstar/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloud-gov%2F.allstar/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28515479,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T17:57:59.192Z","status":"ssl_error","status_checked_at":"2026-01-17T17:57:52.527Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-17T18:27:03.221Z","updated_at":"2026-01-17T18:27:03.883Z","avatar_url":"https://github.com/cloud-gov.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Allstar configuration for cloud-gov\n\n[Allstar](https://github.com/cloud-gov/allstar) is a security-policy GitHub app. It is\ninstalled on this org, and this repo contains the configuration for that app. It\nis configured to create issues on repos that do not comply with the configured\npolicy.\n\n## Enabled Repos\n\nAllstar is configured to opt-out. Feel free to submit a PR to disable repos.\n\n### [AllStar Main Config](allstar.yaml)\n\nSets the issue repo for when AllStar creates issues.\n\n### [Admin Requirements](admin.yaml)\n\n|   |   |\n| - | - |\n| Owner-less repositories allowed | false |\n| Individual users allowed to be admins | true |\n| Teams allowed to be admins | true |\n| Maximum admin teams | 2 |\n\n**Compliance**: The repository admin/owner checks provide a partial implementation of:\n\n* AC-5 Least Privilege\n* AC-6 Separation of Duties\n\n**Remediation Hints**:\n\n* Make sure there are redundant owners for your repository.\n* Delegating administrative responsibilities to a team can be more sustainable than having individual admins.\n* If a repo is not in use, consider archiving it.\n\n### [Binary Artifacts](binary_artifacts.yaml)\n\nNo binary files are currently ignored. You should override this policy\nin your repository and set `ignoreFiles` to a list of the expected in-repo\nbinaries you wish to allow.\n\n**Compliance**: By ensuring that all content in GitHub is reviewable, this provides a partial implementation of:\n\n* SI-3: Malicious Code Protection\n\n**Remediation Hints**:\n\n* Remove binaries if they can be generated from code\n* List exceptions in `(repository)/.allstar/binary_artifacts.yaml`, as in [this example](https://github.com/google/UIforETW/blob/main/.allstar/binary_artifacts.yaml)\n\n### [Branch Protection](branch_protection.yaml)\n\nSets baseline controls to ensure the change control process is followed\nfor code to reach `main`.\n\n| | |\n| - | - |\n| Approvals required | 1 |\n| Dismiss stale reviews | yes |\n| Branches enforced | default |\n| Enforce settings for admins | yes |\n| OptOut on archived repos | yes |\n| Require approval | yes |\n| Require signed commits | yes |\n| Require up-to-date branch before merge | yes |\n| Require review from CODEOWNERS | yes |\n\n**Compliance**:\n\n* AC-2 Access Control:  AllStar is ensuring branch protection is being enforced and requires peer review by at least one other team member for the production “main/master” branch. Scans, checks, and branch protection policies are enforced configurations through the GSA-TTS Github Allstar implementation.\n* SI-7 Software, Firmware, and Information Integrity: Signed commits ensure code updates come from the approved set of contributors.\n\n**Remediation Hints**:\n\n* Follow GitHub's [Branch Protection](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) guidance\n* If the org-wide settings aren't appropriate for your repository, override the settings in `(repository)/.allstar/branch_protection.yaml`\n\n### [CODEOWNERS](codeowners.yaml)\n\nDetects whether a [CODEOWNERS](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) file is provided for a repository.\n\n**Remediation Hints**:\n\n* Add a [CODEOWNERS file](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-file-location) to the repository\n\n### [Dangerous Action Workflows](dangerous_workflows.yaml)\n\nLeverages [Scorecard](#scorecard) to detect dangerous\nGitHub Action use.\n\n**Remediation Hints**:\n\n* The upstream [Scorecard](https://github.com/ossf/scorecard) program is pretty extensively documented, so look there\n\n### [Outside collaborators](outside.yaml)\n\nControls how users outside of the organization can interact with repositories.\n\n| | |\n| - | - |\n| Outside collaborators can have push access | false |\n| Repos with no admins allowed? | false |\n\n**Compliance**:\n\n* AC-3: Access Enforcement\n* AC-14: Permitted Actions Without Identification or Authentication\n\n**Remediation Hints**:\n\n* In addition to the in-issue advice you can try changing the setting for `pushAllowed` or `adminAllowed`, see [this repo](https://github.com/GSA-TTS/federal-platform-engineering-cop/blob/main/.allstar/outside.yaml) for an example\n\n### [Scorecard](scorecard.yaml)\n\nRuns [Scorecard](https://github.com/ossf/scorecard/) to detect and report a\nwide variety of problems. See the [default checks.yaml](https://github.com/ossf/scorecard/blob/main/docs/checks/internal/checks.yaml)\nfor current settings.\n\nAs of July 2024, we have not enabled any default Scorecard checks across all repositories.\n\n**Remediation Hints**:\n\n* The upstream [Scorecard](https://github.com/ossf/scorecard) program is pretty extensively documented, so look there\n\n### [SECURITY.md check](security.yaml)\n\nEach repository is required to have a security policy published as `SECURITY.md`.\nGSA developed open source software should be covered by the\n[GSA Vulnerability Disclosure Policy](https://gsa.gov/vulnerability-disclosure-policy).\n\n**Compliance**:\n\n* RA-5(11): Vulnerability Monitoring and Scanning -- Public Disclosure Program\n\n**Remediation Hints**:\n\n* In most cases you should be able to use [SECURITY.md](./SECURITY.md) from this\nrepo.\n\n## Unimplemented checks\n\nWe aren't using the policies for \"Github Actions\" (`actions.yaml`) or \"CODEOWNERS\" (`codeowners.yaml`) because they're not well-enough documented upstream for us to effectively deploy them.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2F.allstar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloud-gov%2F.allstar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloud-gov%2F.allstar/lists"}