By Noam Dotan, Legit Security
A few weeks ago, the OpenSSF Best Practices Working Group published the Source Code Management (SCM) Best Practices Guide. This guide is the result of a collaboration of multiple leading security community members under the OpenSSF umbrella.
The SCM Best Practices Guide provides a comprehensive set of recommendations for securing SCM platforms like GitHub and GitLab. It also includes a list of tools that can assist in reviewing source code repositories. One example is Legitify, which helps detect all misconfigurations and security issues described throughout the project’s document. Other tools that provide help in this context are Allstar and Scorecard from OpenSSF. These tools can help detect misconfigurations, security issues, and unfollowed best practices, with a goal to provide more secure development environments.
In this blog, I’ll show how you can use Legitify to secure your GitHub/GitLab server and comply with the SCM Best Practices Guide.
As more and more attacks are targeting weakly configured and vulnerable SCMs, organizations should take special care to make sure they are protected. Unfortunately, SCMs have very broad features and settings, making it very hard for teams to keep them secure. Legitify simplifies SCM security by scanning and detecting security misconfigurations.
Let’s Begin
There are multiple ways to install Legitify. On Mac you can use brew:
brew tap legit-labs/legit-labs
brew install legitify
Alternatively, you can compile it from code:
git clone git@github.com:Legit-Labs/legitify.git && cd legitify
make build
Or, download the latest release from here:
The next thing to do is to create a personal access token (PAT). For the GitHub platform, you can do it here. The required permissions are:
admin:org, read:enterprise, admin:org_hook, read:org, repo, read:repo_hook
Run the tool with the following command:
SCM_TOKEN=the_token_you_created legitify analyze --org your_org_name
First, you’ll get a summarization table with all the policies you ran and whether they passed, failed, or skipped due to insufficient permissions. Policies are grouped by namespace. Namespaces are the entities the policy applies on, e.g., repository, organization, member, etc. (You can find the full list on the project website with detailed description and threat: legitify.dev)
If you scroll up a bit, you can see detailed information on each policy:
For each policy, you get a description, the severity, the threat, a list of suggested remediation steps, and a list of violating entities.
In this case, you can see that the “legit-sandbox” organization doesn’t require GitHub actions to be verified and provides the user with steps to fix the issue.
Running Scorecard
Scorecard is an OpenSSF project that assesses repositories’ security posture. It was created to help open source maintainers improve their security and to help open source consumers judge whether their dependencies are safe. It has gained much popularity lately, and many prominent projects have been using it.
Scorecard with Legitify on all your repositories with ease:
SCM_TOKEN=your_token_here legitify analyze --org your_org_name --namespace repository --scorecard verbose
This command will run Scorecard on all of your repositories and alert ones with a score under 7.0, and you can find the specific issues under the detailed section of the output:
Running as part of a CI process
You can run Legitify as a GitHub Action:
name: Legitify Analyze
on:
workflow_dispatch:
schedule:
- cron: '0 11 * * 1-5'
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Legitify Action
uses: Legit-Labs/legitify@main
with:
github_token: ${{ secrets.LEGITIFY_PAT }}The above workflow will run Legitify periodically and produce output similar to the CLI, as shown in the following summarization table:
And the details:
And that’s the end of this quick tutorial!
Conclusion
Source Code Management (SCM) is a critical component of software development, allowing teams to efficiently collaborate on code and track changes over time.
As code is the foundation of software, it is essential to ensure its security throughout the development lifecycle. SCM security plays a crucial role in protecting the source code from unauthorized access, modification, and theft. By implementing robust security measures and best practices, teams can effectively safeguard their sensitive code and prevent potential breaches.
Legitify offers a comprehensive set of features that can be tailored to meet varying SCM security needs. Check out the project’s readme for more information. Also check out the Source Code Management Platform Configuration Best Practices Guide that explores user authentication, access control, permissions, monitoring, and logging.
About the Author
Noam Dotan is a Security Researcher at Legit Security. Noam is passionate about security topics related to the software supply chain and application security posture management.