Skip to content

feat(security): add Allstar policy configuration#413

Merged
nullvariant merged 1 commit into
mainfrom
feat/allstar-config
Mar 31, 2026
Merged

feat(security): add Allstar policy configuration#413
nullvariant merged 1 commit into
mainfrom
feat/allstar-config

Conversation

@nullvariant
Copy link
Copy Markdown
Owner

@nullvariant nullvariant commented Mar 31, 2026

Summary

  • Enable OpenSSF Allstar GitHub App with repository-level configuration
  • 5 policies enabled (all with issue action):
    • Branch protection: require approval, dismiss stale reviews, block force push
    • Binary artifacts: detect checked-in binaries
    • SECURITY.md: ensure security policy exists
    • Outside collaborators: monitor external access with admin-only push
    • Dangerous workflows: flag risky GitHub Actions patterns

Context

Part of OpenSSF Best Practices Silver criteria compliance. Scorecard badge is already in place; this adds Allstar as an additional policy enforcement layer.

Test plan

  • Verify Allstar GitHub App is installed on this repository
  • Confirm Allstar picks up .allstar/ configuration
  • Check no false-positive issues are created for existing compliant settings

🤖 Generated with Claude Code

@nullvariant @claude
feat(security): add Allstar policy configuration
3755724 
Enable OpenSSF Allstar GitHub App with 5 policies:
branch protection, binary artifacts, SECURITY.md,
outside collaborators, and dangerous workflows.
All violations create GitHub issues for visibility.

🖥️ IDE: [Cursor](https://cursor.sh)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6[1m]
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3755724.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

@nullvariant-mimi
Copy link
Copy Markdown
Contributor

nullvariant-mimi Bot commented Mar 31, 2026

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!

バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@nullvariant-ciel
Copy link
Copy Markdown
Contributor

nullvariant-ciel Bot commented Mar 31, 2026

🕊️ Ciel's Mediation 💤

*~~ drifting lazily through still air ~~ The zoo is napping today...*

1 zoo member has reviewed this PR.

Zoo Member Status
🐰 Mimi Commented

😴 A quiet day at the zoo. Only one member peeked at this PR.

まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Mar 31, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 31, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@nullvariant nullvariant merged commit c9ca4b3 into main Mar 31, 2026
27 checks passed
@nullvariant nullvariant deleted the feat/allstar-config branch March 31, 2026 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nullvariant