Open-Source Security Scanner for GitHub & GitLab
▼ Summary
– Legitify is an open-source tool that scans GitHub and GitLab for security misconfigurations across organizations, repositories, members, and CI/CD runners.
– It checks configurations in five areas, including organization settings and GitHub Actions, for issues like missing two-factor authentication or code review requirements.
– The tool outputs results in multiple formats, can be integrated into CI/CD workflows, and runs as a command-line tool or a GitHub Action.
– It integrates with the OpenSSF Scorecard to flag GitHub repositories with security scores below 7.0, checking for specific risks like dangerous workflows.
– Effective use requires specific permissions and access tokens, with some policy checks skipped for non-premium GitLab accounts.
Organizations frequently struggle to identify the security misconfigurations in their source code management platforms that attackers exploit in software supply chain attacks. A new open-source scanner called Legitify, developed by Legit Security, aims to provide that critical visibility. It systematically audits GitHub and GitLab environments, reporting on policy violations across entire organizations, individual repositories, member accounts, and CI/CD runner groups.
The tool performs evaluations across five key areas: organization settings, GitHub Actions configurations, member accounts, repositories, and runner groups. Its checks are comprehensive, verifying if two-factor authentication is enforced organization-wide, if GitHub Actions executions are limited to verified sources, whether outdated administrator accounts persist, and if mandatory code review rules are active for repositories. By default, Legitify scans all these areas, but users can focus on specific organizations, repositories, or namespace types using command-line flags. Archived repositories are typically excluded from scans unless explicitly included.
Results from a scan are highly flexible. They can be exported in human-readable text, JSON, or the SARIF format for integration with other security dashboards and code scanning tools that support this standard. Findings can be organized by namespace, specific resource, or severity level for easier analysis. The scanner operates as a standalone command-line utility or directly as a GitHub Action, enabling teams to incorporate scheduled security assessments into their existing continuous integration pipelines.
A significant feature is Legitify’s integration with the Open Source Security Foundation’s Scorecard project. When activated for GitHub repositories, it executes Scorecard’s battery of tests against all repositories in an organization. Any repository scoring below 7.0 is flagged. A verbose mode includes the full Scorecard output within Legitify’s own report. This integration covers numerous critical security aspects such as branch protection rules, code review requirements, dependency update tools, pinned dependencies, dangerous workflows, static application security testing (SAST), token permissions, and vulnerability detection. Note that several of these checks are relevant only for public repositories.
Effective use of the tool requires appropriate permissions. On GitHub, organization owner-level access is needed for a full assessment. Users with administrative rights to specific repositories can still run the tool against those to get repository-level findings. Execution requires a GitHub personal access token with specific scopes, including admin:org, read:enterprise, and repo; fine-grained tokens are not currently supported. For GitLab, the scanner works with both cloud-based and self-managed instances. However, scans on non-premium GitLab accounts will skip some policies, such as those related to branch protection. GitLab scans require using the `–scm gitlab` flag and a personal access token with scopes like readapi and readrepository.
Legitify is publicly available on GitHub for security teams and developers to implement proactive configuration management.
(Source: Help Net Security)
