A Better Way To Secure GitHub/GitLab
Legitify is an open-source security tool for GitHub or GitLab users to automatically discover insecure configurations.
Here's how Legitify works:
1. Connect Easily
Legitify connects to GitHub and GitLab via an access token and detects issues across various resource types: member, repository, actions, organization, and more. Legitify provides the option to scan by specific GitHub/GitLab instance and/or resource type, or to scan an entire GitHub organization, or GitLab group, across all resource types.
2. Scan Quickly
Legitify rapidly scans your GitHub implementations via the command line to detect a wide range of security issues associated with GitHub configurations and settings. Use Legitify across an entire GitHub organization of any size.
3. Detect Security Issues
Any security issue detected is listed in the results, including the name of the issue with a brief description and severity categorization. Threat examples and remediation steps are also provided along with the entityID of the violation.
4. Obtain Security Scores
Legitify is integrated with OSSF Scorecard so you can run Scorecard within Legitify to assess the security posture of repositories using the Security Scorecard framework.
Capability | Legitify | Legit Security Platform |
---|---|---|
Supported platforms |
GitHub GitLab |
ALL major SCMs (incl. Azure DevOps, Bitbucket and more) CI/CD systems (e.g. Jenkins) Package registries (e.g. JFrog Artifactory) Cloud providers (e.g. AWS) |
Risk detection |
SCM Misconfigurations only |
SCMs Misconfigurations CI Misconfigurations CD Misconfigurations Package Registries Misconfigurations Pipeline risks Secrets IaC Security Incidents And more... |
Compliance report |
SSDF SLSA SOC2 ISO 27001 FedRAMP And more... |
|
Policy drifts detection |
Can be detected periodically though Legitify's GitHub Action |
Get real-time alerts when a misconfiguration is introduced |
SDLC assets management |
- |
Yes |
Issue & policy management |
- |
Yes |
Code To Cloud context |
- |
Yes (contextualized information enables smarter prioritization) |
Workspaces & product groups |
- |
Yes |
Ticketing & alerting |
- |
Jira, Slack, and more |
Ingest risk |
- |
Import APIs and integrations with SAST, SCA and other testing solutions |
Rest APIs |
- |
Yes |
in-depth look at how our tool works.
FAQs
Request a Demo
Request a demo including the option to analyze your own software supply chain.