How to Secure GitHub/GitLab Servers with Legitify
Legitify is an open source security tool from Legit Security that scans server configuration monitor (SCM) servers and detects security misconfigurations. It also provides detailed remediation steps and integration with GitHub Actions to use within continuous integration (CI) processes.
As more and more attacks target weakly configured and vulnerable SCMs, organizations should take special care to ensure they are protected. Yet SCMs have many features and settings, making it difficult for teams to keep them secure.
In this blog post, I’ll show how to use Legitify to secure a GitHub/GitLab server.
Let’s Begin
First, let’s install Legitify. There are multiple options to do so. Mac users can use brew:
|
1 2 |
brew tap legit-labs/legit-labs brew install legitify |
Alternatively, you can compile from code:
|
1 2 |
git clone git@github.com:Legit-Labs/legitify.git && cd legitify make build |
Or download the latest release from here:
Next create a personal access token (PAT). For the GitHub platform, you can do it here. The required permissions are:
|
1 |
admin:org, read:enterprise, admin:org_hook, read:org, repo, read:repo_hook |
Let’s run the tool:
|
1 |
GITHUB_TOKEN=the_token_you_created legitify analyze --org your_org_name |
We get a summarization table with all the policies we ran and whether they passed, failed or skipped due to insufficient permissions.
Policies are grouped by namespace. Namespaces are the entity the policy applies on, such as repository, organization, member, etc.
(The full list can be found on the project website with detailed description and threat: legitify.dev.)
If we scroll up a bit, we can see detailed information on each policy:
- Description
- Severity
- Threat
- Remediation steps
- A list of violating entities
In this case, we can see that the “legit-sandbox” organization doesn’t require GitHub actions to be verified and provided with steps to fix the issue.
Running Scorecard
Scorecard is an Open Source Security Foundation (OpenSSF) project that assesses a repository’s security posture. It has gained popularity lately and is used in many prominent projects. Legitify allows running Scorecard on all your repositories with ease:
GITHUB_TOKEN=your_token_here legitify analyze --org your_org_name --namespace repository --scorecard verbose
This command will run Scorecard on all your repositories and provide an alert on ones with a score under 7.0. The specific issues can be found under the detailed section of the output:
Running as Part of a CI Process
Another option is to run Legitify as a GitHub Action:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
name: Legitify Analyze on: workflow_dispatch: schedule: - cron: '0 11 * * 1-5' jobs: analyze: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Legitify Action uses: Legit-Labs/legitify@main with: github_token: ${{ secrets.LEGITIFY_PAT }} |
The above workflow will run Legitify periodically and produce output similar to the CLI, as shown in the following summarization table:
And the details:
And we’re done! Legitify has many more options that should allow you to use it in almost any use case. Check out the project’s readme for more information.
