[pull] main from ossf:main

.github/CODEOWNERS

@@ -0,0 +1,7 @@
+# CODEOWNERS reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# the following users/teams will be requested for
+# review when someone opens a pull request.
+* @ossf/allstar-maintainers

.github/workflows/codeql.yml

@@ -0,0 +1,75 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '18 13 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: go
+          build-mode: autobuild
+        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/postmerge.yaml

@@ -7,28 +7,19 @@ permissions:
   contents: read
   security-events: write
 jobs:
-  codeql:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: github/codeql-action/init@v3
-      with:
-        languages: go
-    - uses: github/codeql-action/autobuild@v3
-    - uses: github/codeql-action/analyze@v3
   scorecard:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: ossf/scorecard-action@v2.1.3
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
       with:
         results_file: results.sarif
         results_format: sarif
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: SARIF file
         path: results.sarif
         retention-days: 5
-    - uses: github/codeql-action/upload-sarif@v3
+    - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         sarif_file: results.sarif

.github/workflows/pr.yaml

@@ -6,28 +6,28 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: '1.21'
         check-latest: true
-    - uses: golangci/golangci-lint-action@v4
+    - uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
       with:
         args: --timeout 3m --verbose
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: '1.21'
         check-latest: true
     - run: go build -v ./...
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-go@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
       with:
         go-version: '1.21'
         check-latest: true
@@ -36,5 +36,5 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/dependency-review-action@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/release.yaml

@@ -14,16 +14,16 @@ jobs:
   release:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version: '1.21'
           check-latest: true
 
-      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
-      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
 
       - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.workflow }} --password-stdin
 

.gitignore

@@ -2,3 +2,4 @@ cmd/allstar/allstar
 *.pem
 .vscode
 allstar.ref
+.idea/

README.md

@@ -1,4 +1,4 @@
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/allstar/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/allstar)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ossf/allstar/badge)](https://api.scorecard.dev/projects/github.com/ossf/allstar)
 
 <img align="right" src="artwork/openssf_allstar_alt.png" width="300" height="400">
 
@@ -14,7 +14,7 @@
 
 ## Disabling Unwanted Issues
 
--  [Help! I'm getting issues created by Allstar and I don't want them!](#disabling-unwanted-issues-1) 
+-  [Help! I'm getting issues created by Allstar and I don't want them!](#disabling-unwanted-issues-1)
 
 ## Getting Started
 
@@ -59,18 +59,18 @@ Allstar is developed as a part of the [OpenSSF Scorecard](https://github.com/oss
 ## [What's new with Allstar](whats-new.md)
 
 ## Disabling Unwanted Issues
-If you're getting unwanted issues created by Allstar, follow [these directions](opt-out.md) to opt out. 
+If you're getting unwanted issues created by Allstar, follow [these directions](opt-out.md) to opt out.
 
 ## Getting Started
 
 ### Background
 
-Allstar is highly configurable. There are three main levels of controls: 
+Allstar is highly configurable. There are three main levels of controls:
 
-- **Org level**: Organization administrators can choose to enable Allstar on: 
-   -  all repositories in the org; 
-   -  most repositories, except some that are opted out; 
-   -  just a few repositories that are opted in. 
+- **Org level**: Organization administrators can choose to enable Allstar on:
+   -  all repositories in the org;
+   -  most repositories, except some that are opted out;
+   -  just a few repositories that are opted in.
 
 These configurations are done in the organization's `.allstar` repository.
 
@@ -84,26 +84,30 @@ These configurations are done in the organization's `.allstar` repository.
    are enabled on specific repos and which actions Allstar takes when a policy
    is violated. These configurations are done in a policy yaml file in either
    the organization's `.allstar` repository (admins), or the repository's
-   `.allstar` directory (maintainers). 
+   `.allstar` directory (maintainers).
 
-### Org-Level Options 
+### Org-Level Options
 
 Before installing Allstar at the org level, you should decide approximately how many repositories
 you want Allstar to run on. This will help you choose between the Opt-In and
-Opt-Out strategies. 
+Opt-Out strategies.
 
 -  The Opt In strategy allows you to manually add the repositories you'd
    like Allstar to run on. If you do not specify any repositories, Allstar will
    not run despite being installed. Choose the Opt In strategy if you want to enforce
    policies on only a small number of your total repositories, or want to try
-   out Allstar on a single repository before enabling it on more. 
+   out Allstar on a single repository before enabling it on more. Since the
+   v4.3 release, globs are supported to easily add multiple repositories with
+   a similar name.
 
 -  The Opt Out strategy (recommended) enables Allstar on all repositories
    and allows you to manually select the repositories to opt out of Allstar
    enforcements. You can also choose to opt out all public repos, or all
    private repos. Choose this option if you want to run Allstar on all
    repositories in an organization, or want to opt out only a small number of
    repositories or specific type (i.e., public vs. private) of repository.
+   Since the v4.3 release, globs are supported to easily add multiple
+   repositories with a similar name.
 
 <table>
 <thead>
@@ -163,13 +167,13 @@ configured at the org level. </td>
 
 Both the Quickstart and Manual Installation options involve installing the Allstar app. You may review the permissions requested. The app asks for read access to most settings and file contents to detect security compliance. It requests write access to issues and checks so that it can create issues and allow the `block` action.
 
-#### Quickstart Installation 
+#### Quickstart Installation
 This installation option will enable Allstar using the
 Opt Out strategy on all repositories in your  organization. All current policies
 will be enabled, and Allstar will alert you of
-policy violations by filing an issue. This is the quickest and easiest way to start using Allstar, and you can still change any configurations later. 
+policy violations by filing an issue. This is the quickest and easiest way to start using Allstar, and you can still change any configurations later.
 
-Effort: very easy 
+Effort: very easy
 
 Steps:
 
@@ -187,7 +191,7 @@ Steps:
     1.  Click "Create repository from template"
 
 That's it! All current Allstar [policies](#policies) are now enabled on all
-your repositories. Allstar will create an issue if a policy is violated. 
+your repositories. Allstar will create an issue if a policy is violated.
 
 To change any configurations, see the [manual installation directions](manual-install.md).
 
@@ -198,12 +202,12 @@ option provides more granular control over configurations right from the start.
 
 Effort: moderate
 
-Steps:   
+Steps:
 1) Install the [Allstar app](https://github.com/apps/allstar-app) (choose "All
 Repositories" under Repository Access,  even if you don't plan to use Allstar on
-all your repositories)  
-2) Follow the [manual installation directions](manual-install.md) to create org-level or 
-repository-level Allstar config files and individual policy files.  
+all your repositories)
+2) Follow the [manual installation directions](manual-install.md) to create org-level or
+repository-level Allstar config files and individual policy files.
 
 ## Policies and Actions
 
@@ -289,6 +293,14 @@ binary artifact from the repository to achieve compliance. As the scorecard
 results can be verbose, you may need to run [scorecard
 itself](https://github.com/ossf/scorecard) to see all the detailed information.
 
+### CODEOWNERS
+
+This policy's config file is named `codeowners.yaml`, and the [config
+definitions are
+here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/codeowners#OrgConfig).
+
+This policy checks for the presence of a [`CODEOWNERS` file](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners) on your repositories.
+
 ### Outside Collaborators
 
 This policy's config file is named `outside.yaml`, and the [config definitions
@@ -321,8 +333,8 @@ here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/workflow#OrgConfig
 
 This policy checks the GitHub Actions workflow configuration files
 (`.github/workflows`), for any patterns that match known dangerous
-behavior. See the [Security Scorecards
-Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow)
+behavior. See the [OpenSSF Scorecard
+documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow)
 for more information on this check.
 
 ### Generic Scorecard Check
@@ -333,8 +345,8 @@ here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/scorecard#OrgConfi
 
 This policy runs any scorecard check listed in the `checks` configuration. All
 checks run must have a score equal or above the `threshold` setting. Please see
-the [Security Scorecards
-Documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md)
+the [OpenSSF Scorecard
+documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md)
 for more information on each check.
 
 ### GitHub Actions