Skip to content

Releases: ossf/allstar

v4.2

23 Jul 18:07
Compare
Choose a tag to compare

Highlights

  • Updated Scorecard to v5
  • Renamed Scorecard policy name to "OpenSSF Scorecard" (previously "Security Scorecards")
  • Updated other dependencies

Images

  • ghcr.io/ossf/allstar:v4.2
  • ghcr.io/ossf/allstar:v4.2-busybox

Notes on policy name change

  • If running Allstar with the -policy cli option, you must specify the new "OpenSSF Scorecard" name to run that policy.
  • If interpreting structured logging, the area: value now uses the "OpenSSF Scorecard" name for logs in that policy.
  • If interpreting the "EnforceAll complete." structured summary log, the results: value will use the new "OpenSSF Scorecard" name for that policy.

Detailed changelog

New Contributors

Full Changelog: v4.1...v4.2

v4.1

03 May 21:24
Compare
Choose a tag to compare

Highlights:

  • Parameterize number of concurrent workers
  • Ignore Inconclusive results in dangerous workflow check
  • Clear cache between installation runs
  • Update dependencies including Scorecard

Images:

  • ghcr.io/ossf/allstar:v4.1
  • ghcr.io/ossf/allstar:v4.1-busybox

Full Changelog: v4.0...v4.1

v4.0

31 Jul 22:08
Compare
Choose a tag to compare

Highlights:

  • Many updates to Admin policy
  • Add Org/Repo allow list to operator parameters
  • CODEOWNERS policy
  • Avoid caching tarball downloads for Scorecard policy

Images:

  • ghcr.io/ossf/allstar:v4.0
  • ghcr.io/ossf/allstar:v4.0-busybox

Full Changelog: v3.0...v4.0

v3.0

10 Feb 21:11
Compare
Choose a tag to compare

ghcr.io/ossf/allstar:v3.0

  • Branch Protection policy is more complete with support for requireSignedCommits, enforceOnAdmins, requireCodeOwnerReviews. Link

  • You may now opt-out repos that are forks with the optOutForkedRepos option.

  • GitHub Actions policy added to allow/require/deny configured actions in workflows. Docs

  • Generic Scorecard policy added to run any Scorecard check with a score threshold. Docs

  • Issue creation and pinging can be enabled / disabled based on a weekly schedule. Link

  • The Outside Collaborators policy now allows exemptions. Link

  • When the Allstar action is changed from issue to fix. Existing issues will be closed.

  • Issue ping duration is configurable at the operator level with NOTICE_PING_DURATION_HOURS. Link

  • Org config may now point to a secondary repository for config and merge overrides. Docs

  • Individual repo config files are now allowed to be placed in the central org config repository. Example: in the .allstar repo, you can have a /branch_protection.yaml file with specific settings for that repo. Docs

  • Binary Artifacts policy configuration updated to have an ignore list. Link

  • Dangerous Workflow policy added. This policy checks the GitHub Actions workflow configuration files (.github/workflows), for any patterns that match known dangerous behavior. Docs

v2.0

25 Mar 17:12
Compare
Choose a tag to compare

ghcr.io/ossf/allstar:v2.0