Legit Security announced Legitify, an open-source security tool to secure GitHub implementations. Legitify is a GitHub misconfiguration scanner that helps security teams and DevOps engineers manage and enforce their GitHub configurations in a secure and scalable way.
Legitify is a cross-platform security tool that works with Windows, Mac, and Linux and represents a small subset of the capabilities found in the broader Legit Security platform.
GitHub is an extremely popular Source Code Management (SCM) system at the heart of many organizations’ software supply chains and is used by software developers globally. However, GitHub is a complex product where insecure default settings and misconfigurations can be overlooked by administrators and result in security vulnerabilities that can compromise an organization’s software supply chain.
Prior to the release of open-source Legitify, enforcing security across large GitHub implementations was difficult and time-consuming due to the unique configurations and protections required for each repository. Consistently enforcing security across a large GitHub organization required a manually intensive effort that was subject to human error.
Legitify addresses these challenges and helps automate GitHub security by allowing companies to securely and efficiently:
- Scan GitHub implementations via the command line to detect various security issues associated with GitHub configurations and settings. Legitify can be used for an entire GitHub organization or used to scan an individual GitHub repository.
- Connect easily to GitHub via an access token and detect issues across four resource types: member, repository, actions, and organization.
- Legitify provides the option to scan by a specific repository and/or resource type, or to scan an entire GitHub organization across all resource types.
- Detect security issues and list them by the name of the issue, including a brief description and severity categorization. Remediation steps are also provided along with the entityID of the violation.
- Integrate with OSSF Scorecard so you can run Scorecard within Legitify to assess the security posture using the Security Scorecard framework.
“Legitify will save time and reduce human error with benefits that increase as the GitHub implementation within an organization increases in size and complexity,” said Liav Caspi, Chief Technical Officer and co-founder of Legit Security. “We are committed to helping our customers reduce risk and protect their software supply chains. After listening to customers, an open-source tool like Legitify was a clear answer to address the acute challenge of securing GitHub configurations at scale.”
In addition to Legitify, Legit Security has contributed to the cyber security community with the responsible disclosure of other GitHub vulnerabilities discovered by their internal security research team. Legit Security is also an active member in organizations such as OpenSSL and Linux Foundation, where the company actively contributes to the overall improvement of secure software development and software supply chain security.
Legitify capabilities represent a small subset of the broader security capabilities available on the Legit Security platform. The Legit Security platform goes well beyond GitHub security by securing entire software supply chain environments, including other SCMs, build servers, artifact registries, end-to-end development pipelines, and more.