How has the recent turmoil within the OpenAI offices changed your plans to use GPT in a business process or product in 2024?
Increased uncertainty means we are more likely to evaluate alternative AI chatbots and LLMs.
No change in plans, though we will keep an eye on the situation.
With Sam Altman back in charge, we are more likely to go all-in with GPT and LLMs.
What recent turmoil?
Linux / Open Source / Security

How to Secure GitHub/GitLab Servers with Legitify

Legitify detects security misconfigurations and provides detailed remediation steps and integration with GitHub Actions.
Apr 17th, 2023 10:21am by
Featued image for: How to Secure GitHub/GitLab Servers with Legitify

Legitify is an open source security tool from Legit Security that scans server configuration monitor (SCM) servers and detects security misconfigurations. It also provides detailed remediation steps and integration with GitHub Actions to use within continuous integration (CI) processes.

As more and more attacks target weakly configured and vulnerable SCMs, organizations should take special care to ensure they are protected. Yet SCMs have many features and settings, making it difficult for teams to keep them secure.

In this blog post, I’ll show how to use Legitify to secure a GitHub/GitLab server.

Let’s Begin

First, let’s install Legitify. There are multiple options to do so. Mac users can use brew:

Alternatively, you can compile from code:

Or download the latest release from here:

Next create a personal access token (PAT). For the GitHub platform, you can do it here. The required permissions are:

Let’s run the tool:

We get a summarization table with all the policies we ran and whether they passed, failed or skipped due to insufficient permissions.

Policies are grouped by namespace. Namespaces are the entity the policy applies on, such as repository, organization, member, etc.

(The full list can be found on the project website with detailed description and threat:

If we scroll up a bit, we can see detailed information on each policy:

  1. Description
  2. Severity
  3. Threat
  4. Remediation steps
  5. A list of violating entities

In this case, we can see that the “legit-sandbox” organization doesn’t require GitHub actions to be verified and provided with steps to fix the issue.

Running Scorecard

Scorecard is an Open Source Security Foundation (OpenSSF) project that assesses a repository’s security posture. It has gained popularity lately and is used in many prominent projects. Legitify allows running Scorecard on all your repositories with ease:

 GITHUB_TOKEN=your_token_here legitify analyze --org your_org_name --namespace repository --scorecard verbose

This command will run Scorecard on all your repositories and provide an alert on ones with a score under 7.0. The specific issues can be found under the detailed section of the output:

Running as Part of a CI Process

Another option is to run Legitify as a GitHub Action:

The above workflow will run Legitify periodically and produce output similar to the CLI, as shown in the following summarization table:

And the details:

And we’re done! Legitify has many more options that should allow you to use it in almost any use case. Check out the project’s readme for more information.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Pragma.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.