We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data exposure - many of which result from bad source code management (SCM) system configurations. Legitify, the open-source security tool we recently announced, is rapidly gaining popularity because it helps users analyze and remediate the security configuration of their SCM resources. 

Adding support for More SCMs

Legitify is a source-code management (SCM) misconfiguration scanner that helps security, DevOps, and engineering teams manage and enforce their SCM configurations in a secure and scalable way. Legitify's initial release only supported GitHub.com, with the aim to provide the open-source community with a tool that would help them prevent software supply chain attacks that originate in GitHub misconfigurations. After its initial release, multiple requests were submitted to support more SCM vendors and solutions, especially those used by enterprise organizations.

GitHub Enterprise Server and GitLab Server are popular on-premises SCM systems widely used in the software development industry. Like all SCMs, misconfigurations in these systems can also lead to serious security vulnerabilities and data breaches.

With Legitify’s latest release, we're now proud to support a this broader range of popular SCMs:

• GitHub Cloud
• GitHub Enterprise Server
• GitLab Cloud
• GitLab Server

Legitify can identify and help remediate misconfigurations in real time for this expanded list of SCMs, ensuring that both cloud and on-prem SCM implementations are secure and compliant. It can also run periodically to validate these configurations continuously.

More Features to Keep your SCMs Continually secured

In addition to expanded SCM support, Legitify’s latest release includes important new features to keep your SCMs secure:

• Dozens of new SCM security policies that have been added, including a new security policy category called “Runner Groups”, that can detect misconfigurations in GitHub’s runner groups. You can browse all of Legitify’s security policies at legitify.dev.

• A new GitHub action that can be used to run Legitify as part of the organization’s CI/CD pipeline, allowing users to gain continuous protection and get alerted rapidly when a new misconfiguration is introduced.

• To enhance the software supply chain security of Legitify's users, every Legitify release contains a SLSA Level 3 Provenance attestation that can be used to verify the authenticity of the tool.

Join the community

Legitify's mission is to help security and development teams ensure that they have secure SCMs across their software delivery pipelines, and we have many more exciting capabilities planned in the future.

Download Legitify now and send us your feedback, we’d love to hear your thoughts and comments. We encourage and appreciate any kind of contribution!