Skip to main content

How to Use Open Source to Help Comply with SCM Best Practices: A Tutorial on Combining OpenSSF Scorecard and Legitify

By November 9, 2023Blog, Guest Blog
How to Use Open Source to Help Comply with SCM Best Practices

By Noam Dotan, Legit Security

A few weeks ago, the OpenSSF Best Practices Working Group published the Source Code Management (SCM) Best Practices Guide. This guide is the result of a collaboration of multiple leading security community members under the OpenSSF umbrella. 

The SCM Best Practices Guide provides a comprehensive set of recommendations for securing SCM platforms like GitHub and GitLab. It also includes a list of tools that can assist in reviewing source code repositories. One example is Legitify, which helps detect all misconfigurations and security issues described throughout the project’s document. Other tools that provide help in this context are Allstar and Scorecard from OpenSSF. These tools can help detect misconfigurations, security issues, and unfollowed best practices, with a goal to provide more secure development environments.

In this blog, I’ll show how you can use Legitify to secure your GitHub/GitLab server and comply with the SCM Best Practices Guide.

As more and more attacks are targeting weakly configured and vulnerable SCMs, organizations should take special care to make sure they are protected. Unfortunately, SCMs have very broad features and settings, making it very hard for teams to keep them secure. Legitify simplifies SCM security by scanning and detecting security misconfigurations. 

Let’s Begin

There are multiple ways to install Legitify. On Mac you can use brew:

brew tap legit-labs/legit-labs

brew install legitify

Alternatively, you can compile it from code:

git clone git@github.com:Legit-Labs/legitify.git && cd legitify

make build

Or, download the latest release from here:

The next thing to do is to create a personal access token (PAT). For the GitHub platform, you can do it here. The required permissions are:

admin:org, read:enterprise, admin:org_hook, read:org, repo, read:repo_hook

Run the tool with the following command:

 SCM_TOKEN=the_token_you_created legitify analyze --org your_org_name

First, you’ll get a summarization table with all the policies you ran and whether they passed, failed, or skipped due to insufficient permissions. Policies are grouped by namespace. Namespaces are the entities the policy applies on, e.g., repository, organization, member, etc. (You can find the full list on the project website with detailed description and threat: legitify.dev)

If you scroll up a bit, you can see detailed information on each policy:

For each policy, you get a description, the severity, the threat, a list of suggested remediation steps, and a list of violating entities.

In this case, you can see that the “legit-sandbox” organization doesn’t require GitHub actions to be verified and provides the user with steps to fix the issue.

Running Scorecard

Scorecard is an OpenSSF project that assesses repositories’ security posture. It was created to help open source maintainers improve their security and to help open source consumers judge whether their dependencies are safe. It has gained much popularity lately, and many prominent projects have been using it.

 Scorecard with Legitify on all your repositories with ease:

 SCM_TOKEN=your_token_here legitify analyze --org your_org_name --namespace repository --scorecard verbose

This command will run Scorecard on all of your repositories and alert ones with a score under 7.0, and you can find the specific issues under the detailed section of the output:

Running as part of a CI process

You can run Legitify as a GitHub Action:

name: Legitify Analyze
on:
  workflow_dispatch:
  schedule:
	- cron: '0 11 * * 1-5'
 
jobs:
  analyze:
	runs-on: ubuntu-latest
	steps:
  	- name: Checkout
    	uses: actions/checkout@v2
  	- name: Legitify Action
    	uses: Legit-Labs/legitify@main
    	with:
      	github_token: ${{ secrets.LEGITIFY_PAT }}

The above workflow will run Legitify periodically and produce output similar to the CLI, as shown in the following summarization table:

And the details:

And that’s the end of this quick tutorial!

Conclusion

Source Code Management (SCM) is a critical component of software development, allowing teams to efficiently collaborate on code and track changes over time.

As code is the foundation of software, it is essential to ensure its security throughout the development lifecycle. SCM security plays a crucial role in protecting the source code from unauthorized access, modification, and theft. By implementing robust security measures and best practices, teams can effectively safeguard their sensitive code and prevent potential breaches.

Legitify offers a comprehensive set of features that can be tailored to meet varying SCM security needs. Check out the project’s readme for more information. Also check out the Source Code Management Platform Configuration Best Practices Guide that explores user authentication, access control, permissions, monitoring, and logging.

About the Author

noam dotanNoam Dotan is a Security Researcher at Legit Security. Noam is passionate about security topics related to the software supply chain and application security posture management.