Blogs about SCMs

The Legit Security research team has found and reported a zero-click attack that allowed attackers to submit malicious code and access secrets.

Azure Devops Zero-Click CI/CD Vulnerability

January 31, 2024

The Legit Security research team has found and reported a zero-click attack that allowed attackers to submit malicious code and access secrets.

Legitify is an open-source GitHub and GitLab configuration scanner from Legit Security that helps manage & enforce SCM configuration best practices in a secure and scalable way

Legit SCMs

Legitify adds support for GitLab and GitHub Enterprise Server

January 25, 2023

Legitify is an open-source GitHub and GitLab configuration scanner from Legit Security that helps manage & enforce SCM configuration best practices in a secure and scalable way

New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

Threats SCMs

Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable

December 01, 2022

New software supply chain vulnerabilities use artifact poisoning and attack the software development pipelines on projects using GitHub Actions.

Legitify is an open-source GitHub configuration scanner from Legit Security that helps manage & enforce GitHub configurations in a secure and scalable way

Legit SCMs

Introducing Legitify: A Better Way To Secure GitHub

October 05, 2022

Legitify is an open-source GitHub configuration scanner from Legit Security that helps manage & enforce GitHub configurations in a secure and scalable way

GitHub configurations aren't secure out of the box. It's up to you to secure them. This blog discusses GitHub's new Codespaces product and how to secure it.

Best Practices SCMs

GitHub Codespaces Security Best Practices

September 28, 2022

GitHub configurations aren't secure out of the box. It's up to you to secure them. This blog discusses GitHub's new Codespaces product and how to secure it.

GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

Threats SCMs

Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

September 08, 2022

GitHub’s required reviewers capability can be bypassed if currently using this setting to require at least one code review before merging code.

Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

Legit Threats SCMs

Google & Apache Found Vulnerable to GitHub Environment Injection

September 01, 2022

Learn how Legit Security discovered a vulnerable GitHub actions workflow that affected Google, Apache and potentially many more. Get details on the vulnerability and what you can do to mitigate it.

Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

Threats SCMs

Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

August 03, 2022

Earlier today, Stephan Lacy published a Twitter post about a massive attack on GitHub. Even though later it was understood that none of the original GitHub repositories was infected, the attack attempt is a huge deal.

GitHub makes it easy for developers to collaborate, but it’s also easy for bad actors to exploit misconfigurations and vulnerabilities.

Best Practices SCMs

Securing GitHub: How to Keep Your Code and Pipelines Safe from Hackers

June 20, 2022

GitHub makes it easy for developers to collaborate, but it’s also easy for bad actors to exploit misconfigurations and vulnerabilities.

This article will explain why security and GitHub should go hand in hand and describes a few best practices we believe any organization using GitHub should employ to reduce GitHub security risks.

Best Practices SCMs

GitHub Security Best Practices Your Team Should Be Following

May 31, 2022

This article will explain why security and GitHub should go hand in hand and describes a few best practices we believe any organization using GitHub should employ to reduce GitHub security risks.

We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

Best Practices Legit Threats SCMs

Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

May 02, 2022

We examine a bug we’ve found in a popular third-party GitHub action and how it could lead to your SDLC pipeline being attacked. Read more to improve GitHub security and secure your software supply chain.

This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

Explainers Threats SCMs

Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

April 18, 2022

This GitHub OAuth access token attack was announced by GitHub Security and is a compromise of OAuth access tokens issued to Heroku and Travis-CI integrations.

On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.

Threats SCMs

A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

April 06, 2022

On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important lessons in securing a software supply chain.