Question 1

How do I stop Allstar from creating issues in my repository?

Accepted Answer

Configure the repository's .allstar directory to opt out or adjust org-level settings using the opt-out strategies outlined in the README. You can also disable specific policies via YAML files.

Question 2

Allstar vs. GitHub's native branch protection rules – which is better?

Accepted Answer

Allstar provides org-wide automation, granular policy control, and remediation actions, while GitHub's native features are simpler but lack cross-repo enforcement and automated fixes. Allstar is ideal for scaling security across many repos.

Question 3

How to configure Allstar to fix branch protection automatically?

Accepted Answer

Enable the 'fix' action in the branch_protection.yaml policy file at the org or repo level. Allstar will then adjust GitHub settings to match the configured compliance rules when violations occur.

Question 4

Does Allstar support SARIF uploads for scorecard results?

Accepted Answer

Yes, the Scorecard policy can upload SARIF results to GitHub's Code Scanning tab if configured with 'upload: sarif: true' and proper permissions. However, the public Allstar app lacks this permission, requiring self-hosting.

Question 5

Can I run Allstar on a schedule instead of continuously?

Accepted Answer

Yes, when self-hosted as a GitHub Action, Allstar can be set up as a scheduled job using batch mode, as described in the GitHub Actions installation directions for periodic checks.

Question 6

What permissions does the Allstar GitHub App need?

Accepted Answer

It requests read access to settings and contents for detection, and write access to issues and checks for creating issues and enabling the block action, per the Installation Options section.

AllStar

What is AllStar?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions