Discover and Fix Security Misconfigurations with Open-Source Scanners on GitHub & GitLab

Post Views: 1

Misconfigured Source Code Management Platforms Remain Vulnerable Entry Points in Software Supply Chain Attacks

Software supply chain attacks often rely on misconfigured source code management platforms as a common entry point. Organizations frequently lack visibility into their specific settings, putting them at risk.

According to Legit Security, “Misconfigured source code management platforms provide a low-hanging fruit for attackers, who can exploit these vulnerabilities to gain unauthorized access to sensitive information.”

Legitify: An Open-Source Tool for Identifying Misconfigurations

Legitify is a tool designed to scan GitHub and GitLab environments and report policy violations across organizations, repositories, members, and CI/CD runner groups. It evaluates configurations across five namespaces: organization-level settings, GitHub Actions configurations, member accounts, repositories, and runner groups.

Organization-Level Settings:

Ensuring two-factor authentication is enforced across an organization
Restricting GitHub Actions runs to verified actions
Identifying stale administrators
Enforcing code review requirements for repositories

GitHub Actions Configurations:

Scanning for unauthorized workflow executions
Checking for unverified action usage

Member Accounts:

Verifying account activity and potential security risks

Repositories:

Scanning for outdated dependencies and vulnerable code

Runner Groups:

Monitoring runner group access and configuration

Scan Results and Reporting

Scan results can be exported in human-readable text, JSON, or SARIF (Static Analysis Results Interchange Format) format. SARIF output enables seamless integration with code scanning tools and security dashboards that support the standard. Findings can be grouped by namespace, resource, or severity.

Integration with Scorecard Project

Legitify integrates with the Open Source Security Foundation’s Scorecard project for GitHub repositories. When enabled, it runs Scorecard checks against all repositories in an organization and flags any repository scoring below 7.0.

Requirements and Limitations

To effectively utilize Legitify on GitHub, organization owners must possess administrative permissions. Users with admin access to individual repositories can run the tool against those repositories and receive repository-level results. The tool requires a GitHub personal access token with specific scopes, including admin:org, read:enterprise, admin:org_hook, read:org, repo, and read:repo_hook.

On GitLab, the tool functions against both cloud-based and self-managed instances. However, non-premium GitLab accounts may experience limitations, including skipped branch protection policies. Scans on GitLab require the –scm gitlab flag and a personal access token with read_api, read_user, read_repository, and read_registry scopes.