Check out AI Discovery, the latest addition to the Legit platform. Read the press release now →

Platform
header mobile nav icon
Platform
Platform - Capabilities -
warranty-badge-highlight 1
ASPM

Legit Security - Navbar Icon - Compliance Attestation & Reporting
Compliance Attestation & Reporting

- Features -
Legit IconAI Discovery
AI Discovery

Legit IconCISA Attestation
CISA Attestation

- Integrations -
Legit Security - Navbar Icon - Integrations
Integrations

Modules
Legit For Secret Scanning Nav Icon 2024 - Very Light Purple
Secret Scanning

Use Cases
header mobile nav icon
Use Cases
dashboard-3 1
Vulnerability Management

Legit For Secret Scanning Nav Icon 2024 - Very Light Purple
Secrets Scanning

shield-check 1
Compliance

warranty-badge-highlight 1
Secure SDLC & Software Supply Chain Security

Customers Company
header mobile nav icon
Company
book icon primary 200
About Us

briefcase icon primary 200
Careers

message icon primary 200
In the News

Legit For Press Releases Nav Icon 2024 - Very Light Purple
Press Releases

calendar icon primary 200
Events

Resources
header mobile nav icon
Resources
squared pencil icon primary 200
Blog

bookmark icon primary 200
Resource Library

brackets icon primary 200
Open Source

Contact Us

A Better Way To Secure GitHub/GitLab

Legitify is an open-source security tool for GitHub or GitLab users to automatically discover insecure configurations.

Download Now Documentation
Legitify Header Illustration - Legit Security
Are Your SCM Implementations Secure?
It’s difficult and time-consuming to consistently enforce security across large GitHub/GitLab source code management (SCM) systems, and misconfigurations are a very common source of vulnerabilities. Different individuals often deploy GitHub/GitLab instances with different configurations and settings. However, manually enforcing consistency across large GitHub/GitLab organizations is very labor-intensive and prone to human error.
Auto-Discover Insecure Configurations
Legitify is an open-source GitHub/GitLab configuration scanner from Legit Security that helps security teams and DevOps engineers manage and enforce their SCM configurations in a secure and scalable way. Legitify automatically detects security issues, provides remediation steps to address them, and represents a subset of capabilities in the commercially licensed Legit Security Platform.
Here's how Legitify works:

1. Connect Easily

Legitify connects to GitHub and GitLab via an access token and detects issues across various resource types: member, repository, actions, organization, and more. Legitify provides the option to scan by specific GitHub/GitLab instance and/or resource type, or to scan an entire GitHub organization, or GitLab group, across all resource types.

Legitify - Connect Easily

2. Scan Quickly

Legitify rapidly scans your GitHub implementations via the command line to detect a wide range of security issues associated with GitHub configurations and settings. Use Legitify across an entire GitHub organization of any size.

Legitify - Scan Quickly

3. Detect Security Issues

Any security issue detected is listed in the results, including the name of the issue with a brief description and severity categorization. Threat examples and remediation steps are also provided along with the entityID of the violation.

Legitify - Detect Security Issues

4. Obtain Security Scores

Legitify is integrated with OSSF Scorecard so you can run Scorecard within Legitify to assess the security posture of repositories using the Security Scorecard framework.

Legitify - Obtain Security Score
Legitify vs. the Legit Security platform
If you liked Legitify, you will love the Legit Security Platform! Below is a feature comparison between Legitify and Legit:
Capability Legitify Legit Security Platform
Supported platforms
GitHub
GitLab
ALL major SCMs (incl. Azure DevOps, Bitbucket and more)
CI/CD systems (e.g. Jenkins)
Package registries (e.g. JFrog Artifactory)
Cloud providers (e.g. AWS)
Risk detection
SCM Misconfigurations only
SCMs Misconfigurations
CI Misconfigurations
CD Misconfigurations
Package Registries Misconfigurations
Pipeline risks
Secrets
IaC
Security Incidents
And more...
Compliance report
OSSF SCM Best Practices
SSDF
SLSA
SOC2
ISO 27001
FedRAMP
And more...
Policy drifts detection
Can be detected periodically though Legitify's GitHub Action
Get real-time alerts when a misconfiguration is introduced
SDLC assets management
-
Yes
Issue & policy management
-
Yes
Code To Cloud context
-
Yes (contextualized information enables smarter prioritization)
Workspaces & product groups
-
Yes
Ticketing & alerting
-
Jira, Slack, and more
Ingest risk
-
Import APIs and integrations with SAST, SCA and other testing solutions
Rest APIs
-
Yes
Cross-Platform Deployment
Legitify is an open source, cross-platform binary that works on Windows, Mac and Linux. Security and DevOps engineers run Legitify in the command line. Several improvements are planned for the future, including the ability to support periodic scanning schedules.
How to Download and Documentation
Get the latest version of Legitify by downloading below and read through the documentation for an
in-depth look at how our tool works.
Download Now Documentation

FAQs

Request a Demo

Request a demo including the option to analyze your own software supply chain.

Request a Demo