Legitify: Open-source scanner for security misconfigurations on GitHub and GitLab

Misconfigured source code management platforms remain a common entry point in software supply chain attacks, and organizations often lack visibility into which settings put them at risk. Legitify, an open-source tool from Legit Security, addresses that gap by scanning GitHub and GitLab environments and reporting policy violations across organizations, repositories, members, and CI/CD runner groups.

What it checks

Legitify evaluates configurations across five namespaces: organization-level settings, GitHub Actions configurations, member accounts, repositories, and runner groups. Example checks include whether two-factor authentication is enforced across an organization, whether GitHub Actions runs are restricted to verified actions, whether stale admins exist, and whether code review requirements are in place for repositories.

By default the tool scans all namespaces, and users can narrow the scope using command-line flags to target specific organizations, repositories, or namespace types. Archived repositories are skipped unless specified directly.

Output and integration

Scan results can be exported in human-readable text, JSON, or SARIF format. SARIF output allows findings to feed into code scanning tools and security dashboards that support the standard. Results can also be grouped by namespace, resource, or severity.

Legitify runs as a standalone command-line tool or as a GitHub Action, making scheduled scanning possible within existing CI workflows.

Scorecard integration

Legitify integrates with the Open Source Security Foundation’s Scorecard project for GitHub repositories. When enabled, it runs Scorecard checks against all repositories in an organization and flags any repository scoring below 7.0. A verbose mode embeds Scorecard output directly into Legitify’s own output. The integration covers checks including branch protection, code review, dependency update tooling, pinned dependencies, dangerous workflows, SAST, token permissions, and vulnerability detection, among others. Several checks apply only to public repositories.

Platform requirements and limitations

On GitHub, effective use of Legitify requires organization owner permissions. Users with admin access to individual repositories can run the tool against those repositories and receive repository-level results. The tool requires a GitHub personal access token with scopes including admin:org, read:enterprise, admin:org_hook, read:org, repo, and read:repo_hook. Fine-grained personal access tokens are not supported.

On GitLab, the tool works against both GitLab Cloud and self-managed GitLab Server instances. Non-premium GitLab accounts will have some policies skipped, including branch protection policies. GitLab scans require the --scm gitlab flag and a personal access token with read_api, read_user, read_repository, and read_registry scopes.

Legitify is available on GitHub.

Must read:

• 40 open-source tools redefining how security teams secure the stack
• Firmware scanning time, cost, and where teams run EMBA

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!