A Better Way to Secure GitHub/GitLab
Legitify is an open-source security tool for GitHub or GitLab users to automatically discover insecure configurations.
Learn MoreDownload Now
Are Your SCM Implementations Secure?
It’s difficult and time-consuming to consistently enforce security across large GitHub/GitLab source code management (SCM) systems, and misconfigurations are a very common source of vulnerabilities. Different individuals often deploy GitHub/GitLab instances with different configurations and settings. However, manually enforcing consistency across large GitHub/GitLab organizations is very labor-intensive and prone to human error.


Auto-Discover Insecure Configurations
Legitify is an open-source GitHub/GitLab configuration scanner from Legit Security that helps security teams and DevOps engineers manage and enforce their SCM configurations in a secure and scalable way. Legitify automatically detects security issues, provides remediation steps to address them, and represents a subset of capabilities in the commercially licensed Legit Security Platform. Here's how Legitify works:
1. Connect Easily
Legitify connects to GitHub and GitLab via an access token and detects issues across various resource types: member, repository, actions, organization, and more. Legitify provides the option to scan by specific GitHub/GitLab instance and/or resource type, or to scan an entire GitHub organization, or GitLab group, across all resource types.
2. Scan Quickly
Legitify rapidly scans your GitHub implementations via the command line to detect a wide range of security issues associated with GitHub configurations and settings. Use Legitify across an entire GitHub organization of any size.
3. Detect Security Issues
Any security issue detected is listed in the results, including the name of the issue with a brief description and severity categorization. Threat examples and remediation steps are also provided along with the entityID of the violation.
4. Obtain Security Scores
Legitify is integrated with OSSF Scorecard so you can run Scorecard within Legitify to assess the security posture of repositories using the Security Scorecard framework.
Cross-Platform Deployment
Legitify is an open source, cross-platform binary that works on Windows, Mac and Linux. Security and DevOps engineers run Legitify in the command line. Several improvements are planned for the future, including the ability to support periodic scanning schedules.
FAQs
-
What is Legitify?
Legitify is an open-source security tool for GitHub/GitLab users to automatically discover insecure configurations.
-
What are examples of security issues that Legitify detects?
Legitify can help you identify security risks that relate to misconfigurations of different SCM resource types. For instance, organization-level misconfigurations such as “Two-Factor Authentication Is Not Enforced For The Organization”, or repository-level misconfigurations such as “Code Review By At Least Two Reviewers Is Not Enforced”.
-
How can I fix the issues that Legitify raised?
All policies in Legitify are documented here, and the last section of each policy is a description of the remediation steps required for the fix. In the future, we plan to add automatic remediation.
-
What is Legitify's open source licensing model?
Legitify is licensed under the Apache License 2.0.
-
What type of support is provided?
Legitify’s maintainers are devoted to the project and are happy to receive issues from users and pull requests from contributors. All issues / PR contributions will be addressed as soon as possible.
-
How can I contribute to improve Legitify?
We happily welcome the contribution of code to all the components in the project! Please follow these guidelines if you wish to become a contributor.
-
Which SCMs are currently supported by Legitify?
- GitHub Cloud
- GitHub Enterprise Server
- GitLab Cloud
- GitLab Server
-
How can I run Legitify as part of a CI/CD pipeline?
GitHub users can call the Legitify GitHub Action as part of a workflow that will run an analysis periodically or upon triggers of interest. Examples can be found here.
Download /// Documentation
Get the latest version of Legitify by downloading below and read through the
documentation for an in-depth look at how our tool works.