Legit Security Blog

SCMs

Legitify adds support for GitLab and GitHub Enterprise Server

We encounter security incidents on a weekly basis with prospective customers that involve pipeline manipulation, code theft, and sensitive data...

Read More

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the...

Read More

Introducing Legitify: A Better Way To Secure GitHub

We’re pleased to announce the launch of Legitify – an open-source security tool for GitHub users to automatically discover and remediate insecure...

Read More

GitHub Codespaces Security Best Practices

When GitHub released Codespaces last year it was touted as their best release since GitHub Actions. If you’re using Codespaces or thinking about it,...

Read More

Attackers Can Bypass GitHub Required Reviewers to Submit Malicious Code

Update: a few weeks after this publication, GitHub decided to fix the issue and employed the mitigation we recommended to them in our initial report....

Read More

Google & Apache Found Vulnerable to GitHub Environment Injection

In this blog post, we'll discuss a new type of GitHub Actions workflow vulnerability we called "GitHub Environment Injection". We've found a couple of

Read More

Breaking News: How a Massive Malware Attack Almost Occurred on GitHub

Earlier today, Stephen Lacy published a Twitter post about a massive attack attempt on GitHub. This attack attempt is a huge deal, but fortunately it...

Read More

Securing GitHub: How to Keep Your Code and Pipelines Safe from Hackers

GitHub is one of the most widely used software development platforms. You’d be hard-pressed to find a developer or a business that has never used or...

Read More

GitHub Security Best Practices Your Team Should Be Following

Configuring security in GitHub correctly can offer strong protection against breaches related to application vulnerabilities. The platform comes with...

Read More

Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

In this blog post, we’ll explore a bug we’ve found in a popular third-party action and how in some cases it could lead to your SDLC pipeline being...

Read More

Latest GitHub OAuth Tokens Attack Explained and How to Protect Yourself

On Friday April 15, GitHub Security announced it had detected the compromise of OAuth access tokens issued to Heroku and Travis-CI integrations to...

Read More

A Cautionary Tale: The Untold Story of the GitLab CVE Backdoor (CVE-2022-1162)

On April 1st, GitLab announced Critical Security Release CVE-2022-1162, disclosing a very bizarre vulnerability and illustrating some important...

Read More

Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline

At Legit Security, we’re focused on preventing software supply chain attacks and securing the SDLC for our customers and the broader cybersecurity...

Read More

Detecting Secrets in Your Source Code

Exposed secrets in source code pose a risk to you, your team and your entire organization. But what are secrets exactly? How do they become exposed?...

Read More

Stay Connected

 Please join our mailing list for future updates and announcements.