v4.2

Highlights

• Updated Scorecard to v5
• Renamed Scorecard policy name to "OpenSSF Scorecard" (previously "Security Scorecards")
• Updated other dependencies

Images

• ghcr.io/ossf/allstar:v4.2
• ghcr.io/ossf/allstar:v4.2-busybox

Notes on policy name change

• If running Allstar with the -policy cli option, you must specify the new "OpenSSF Scorecard" name to run that policy.
• If interpreting structured logging, the area: value now uses the "OpenSSF Scorecard" name for logs in that policy.
• If interpreting the "EnforceAll complete." structured summary log, the results: value will use the new "OpenSSF Scorecard" name for that policy.

Detailed changelog

• docs: Adopt OpenSSF Scorecard contributor ladder by @justaugustus in #519
• docs: Allstar is now a part of the OpenSSF Scorecard project by @justaugustus in #517
• .github: Add initial CODEOWNERS by @justaugustus in #527
• Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 in the go_modules group by @dependabot in #526
• Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.10.0 to 2.11.0 by @dependabot in #521
• Bump ko-build/setup-ko from 0.6 to 0.7 by @dependabot in #523
• Bump golangci/golangci-lint-action from 4 to 6 by @dependabot in #513
• Bump ossf/scorecard-action from 2.1.3 to 2.3.3 by @dependabot in #515
• Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 by @dependabot in #509
• Bump github.com/rs/zerolog from 1.32.0 to 1.33.0 by @dependabot in #516
• Bump github.com/rhysd/actionlint from 1.6.27 to 1.7.1 by @dependabot in #518
• [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #529
• Bump actions/setup-go from 4.0.1 to 5.0.1 by @dependabot in #532
• Bump actions/checkout from 4.1.1 to 4.1.7 by @dependabot in #531
• go.mod: Update Scorecard to v5.0.0-rc2 by @justaugustus in #534
• .github: Create codeql.yml by @justaugustus in #533
• Correct references to OpenSSF Scorecard by @justaugustus in #536
• Bump actions/upload-artifact from 4.3.3 to 4.3.4 by @dependabot in #538
• Bump actions/setup-go from 5.0.1 to 5.0.2 by @dependabot in #539
• Bump github/codeql-action from 3.25.11 to 3.25.12 by @dependabot in #541
• Bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @dependabot in #540
• Bump github/codeql-action from 3.25.12 to 3.25.13 by @dependabot in #543
• Bump github.com/ossf/scorecard/v5 from 5.0.0-rc2 to 5.0.0 by @dependabot in #544

New Contributors

• @step-security-bot made their first contribution in #529

Full Changelog: v4.1...v4.2

v4.1

Highlights:

• Parameterize number of concurrent workers
• Ignore Inconclusive results in dangerous workflow check
• Clear cache between installation runs
• Update dependencies including Scorecard

Images:

• ghcr.io/ossf/allstar:v4.1
• ghcr.io/ossf/allstar:v4.1-busybox

Full Changelog: v4.0...v4.1

v4.0

Highlights:

• Many updates to Admin policy
• Add Org/Repo allow list to operator parameters
• CODEOWNERS policy
• Avoid caching tarball downloads for Scorecard policy

Images:

• ghcr.io/ossf/allstar:v4.0
• ghcr.io/ossf/allstar:v4.0-busybox

Full Changelog: v3.0...v4.0

v3.0

ghcr.io/ossf/allstar:v3.0

• Branch Protection policy is more complete with support for requireSignedCommits, enforceOnAdmins, requireCodeOwnerReviews. Link

• You may now opt-out repos that are forks with the optOutForkedRepos option.

• GitHub Actions policy added to allow/require/deny configured actions in workflows. Docs

• Generic Scorecard policy added to run any Scorecard check with a score threshold. Docs

• Issue creation and pinging can be enabled / disabled based on a weekly schedule. Link

• The Outside Collaborators policy now allows exemptions. Link

• When the Allstar action is changed from issue to fix. Existing issues will be closed.

• Issue ping duration is configurable at the operator level with NOTICE_PING_DURATION_HOURS. Link

• Org config may now point to a secondary repository for config and merge overrides. Docs

• Individual repo config files are now allowed to be placed in the central org config repository. Example: in the .allstar repo, you can have a /branch_protection.yaml file with specific settings for that repo. Docs

• Binary Artifacts policy configuration updated to have an ignore list. Link

• Dangerous Workflow policy added. This policy checks the GitHub Actions workflow configuration files (.github/workflows), for any patterns that match known dangerous behavior. Docs

v2.0

ghcr.io/ossf/allstar:v2.0