Introducing Legitify: A Better Way To Secure GitHub
We’re pleased to announce the launch of Legitify – an open-source security tool for GitHub users to automatically discover and remediate insecure...
We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data exposure - many of which result from bad source code management (SCM) system configurations. Legitify, the open-source security tool we recently announced, is rapidly gaining popularity because it helps users analyze and remediate the security configuration of their SCM resources.
Legitify is a source-code management (SCM) misconfiguration scanner that helps security, DevOps, and engineering teams manage and enforce their SCM configurations in a secure and scalable way. Legitify's initial release only supported GitHub.com, with the aim to provide the open-source community with a tool that would help them prevent software supply chain attacks that originate in GitHub misconfigurations. After its initial release, multiple requests were submitted to support more SCM vendors and solutions, especially those used by enterprise organizations.
GitHub Enterprise Server and GitLab Server are popular on-premises SCM systems widely used in the software development industry. Like all SCMs, misconfigurations in these systems can also lead to serious security vulnerabilities and data breaches.
With Legitify’s latest release, we're now proud to support a this broader range of popular SCMs:
Legitify can identify and help remediate misconfigurations in real time for this expanded list of SCMs, ensuring that both cloud and on-prem SCM implementations are secure and compliant. It can also run periodically to validate these configurations continuously.
In addition to expanded SCM support, Legitify’s latest release includes important new features to keep your SCMs secure:
Dozens of new SCM security policies that have been added, including a new security policy category called “Runner Groups”, that can detect misconfigurations in GitHub’s runner groups. You can browse all of Legitify’s security policies at legitify.dev.
A new GitHub action that can be used to run Legitify as part of the organization’s CI/CD pipeline, allowing users to gain continuous protection and get alerted rapidly when a new misconfiguration is introduced.
To enhance the software supply chain security of Legitify's users, every Legitify release contains a SLSA Level 3 Provenance attestation that can be used to verify the authenticity of the tool.
Legitify's mission is to help security and development teams ensure that they have secure SCMs across their software delivery pipelines, and we have many more exciting capabilities planned in the future.
Download Legitify now and send us your feedback, we’d love to hear your thoughts and comments. We encourage and appreciate any kind of contribution!
Join the Legit Security Newsletter to stay up-to-date on the latest tips, tricks, and tech-industry news.
When GitHub released Codespaces last year it was touted as their best release since GitHub Actions. If you’re using Codespaces or thinking about it,...
In this blog post, we'll discuss a new type of GitHub Actions workflow vulnerability we called "GitHub Environment Injection". We've found a couple of