Strengthen the safety posture of your GitHub group!
Detect and remediate misconfigurations, safety and compliance points throughout all of your GitHub belongings with ease
Set up
- You possibly can obtain the newest legitify launch from https://github.com/Legit-Labs/legitify/releases, every archive comprises:
- Legitify binary for the specified platform
- Constructed-in insurance policies supplied by Legit Safety
- From supply with the next steps:
Provenance
To boost the software program provide chain safety of legitify’s customers, as of v0.1.6, each legitify launch comprises a SLSA Degree 3 Provenacne doc.
The provenance doc refers to all artifacts within the launch, in addition to the generated docker picture.
You need to use SLSA framework’s official verifier to confirm the provenance.
Instance of utilization for the darwin_arm64 structure for the v0.1.6 launch:
VERSION=0.1.6
ARCH=darwin_arm64
./slsa-verifier verify-artifact --source-branch important --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/[email protected]/tags/v1.2.2' --source-uri "git+https://github.com/Legit-Labs/legitify" --provenance-path a number of.intoto.jsonl ./legitify_${VERSION}_${ARCH}.tar.gz
Necessities
- To get probably the most out of legitify, you want to be an proprietor of not less than one GitHub group. In any other case, you may nonetheless use the software in case you’re an admin of not less than one repository inside a corporation, wherein case you can see solely repository-related insurance policies outcomes.
- legitify requires a GitHub private entry token (PAT) to research your assets efficiently, which may be both supplied as an argument (
-t) or as an surroundings variable ($GITHUB_ENV). The PAT wants the next scopes for full evaluation:
admin:org, learn:enterprise, admin:org_hook, learn:org, repo, learn:repo_hook
See Making a Private Entry Token for extra info.
High quality-grained private entry tokens are at the moment not supported as a result of they don’t assist GitHub’s GraphQL (https://github.weblog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/)
Utilization
LEGITIFY_TOKEN=<your_token> legitify analyze
By default, legitify will test the insurance policies in opposition to all of your assets (organizations, repositories, members, actions).
You possibly can management which assets shall be analyzed with command-line flags namespace and org:
--namespace (-n): will analyze insurance policies that relate to the required assets--org: will restrict the evaluation to the required organizations
LEGITIFY_TOKEN=<your_token> legitify analyze --org org1,org2 --namespace group,member
The above command will take a look at group and member insurance policies in opposition to org1 and org2.
GitHub Enterprise Help
You possibly can run legitify in opposition to a GitHub Enterprise occasion in case you set the endpoint URL within the surroundings variable SERVER_URL:
export SERVER_URL="https://github.instance.com/"
LEGITIFY_TOKEN=<your_token> legitify analyze --org org1,org2 --namespace group,memberGitLab Cloud/Server Help
To run legitify in opposition to GitLab Cloud set the scm flag to gitlab --scm gitlab, to run in opposition to GitLab Server you want to present additionally SERVER_URL:
export SERVER_URL="https://gitlab.instance.com/"
LEGITIFY_TOKEN=<your_token> legitify analyze --namespace group --scm gitlabNamespaces
Namespaces in legitify are assets which can be collected and run in opposition to the insurance policies. Presently, the next namespaces are supported:
group– group degree insurance policies (e.g., “Two-Issue Authentication Is Not Enforced for the Group”)actions– group GitHub Actions insurance policies (e.g., “GitHub Actions Runs Are Not Restricted To Verified Actions”)member– group members insurance policies (e.g., “Stale Admin Discovered”)repository– repository degree insurance policies (e.g., “Code Evaluation By At Least Two Reviewers Is Not Enforced”)runner_group– runner group insurance policies (e.g, “runner can be utilized by public repositories”)
By default, legitify will analyze all namespaces. You possibly can restrict solely to chose ones with the --namespace flag, after which a comma separated checklist of the chosen namespaces.
Output Choices
By default, legitify will output the leads to a human-readable format. This consists of the checklist of coverage violations listed by severity, in addition to a abstract desk that’s sorted by namespace.
Output Codecs
Utilizing the --output-format (-f) flag, legitify helps outputting the leads to the next codecs:
human-readable– Human-readable textual content (default).json– Customary JSON.
Output Schemes
Utilizing the --output-scheme flag, legitify helps outputting the leads to completely different grouping schemes. Observe: --output-format=json should be specified to output non-default schemes.
flattened– No grouping; A flat itemizing of the insurance policies, every with its violations (default).group-by-namespace– Group the insurance policies by their namespace.group-by-resource– Group the insurance policies by their useful resource e.g. particular group/repository.group-by-severity– Group the insurance policies by their severity.
Output Locations
--output-file– full path of the output file (default: no output file, prints to stdout).--error-file– full path of the error logs (default: ./error.log).
Coloring
When outputting in a human-readable format, legitify assist the traditional --color[=when] flag, which has the next choices:
auto– coloured output if stdout is a terminal, uncolored in any other case (default).all the time– coloured output whatever the output vacation spot.none– uncolored output whatever the output vacation spot.
Misc
- Use the
--failed-onlyflag to filter-out handed/skipped checks from the outcome.
Scorecard Help
scorecard is an OSSF’s open-source challenge:
Scorecards is an automatic software that assesses a variety of vital heuristics (“checks”) related to software program safety and assigns every test a rating of 0-10. You need to use these scores to know particular areas to enhance with a view to strengthen the safety posture of your challenge. You can too assess the dangers that dependencies introduce, and make knowledgeable choices about accepting these dangers, evaluating different options, or working with the maintainers to make enhancements.
legitify helps working scorecard for the entire group’s repositories, implementing rating insurance policies and displaying the outcomes utilizing the --scorecard flag:
no– don’t run scorecard (default).sure– run scorecard and make use of a coverage that alerts on every repo rating under 7.0.verbose– run scorecard, make use of a coverage that alerts on every repo rating under 7.0, and embed its output to legitify’s output.
legitify runs the next scorecard checks:
| Test | Public Repository | Non-public Repository |
|---|---|---|
| Safety-Coverage | V | |
| CII-Greatest-Practices | V | |
| Fuzzing | V | |
| License | V | |
| Signed-Releases | V | |
| Department-Safety | V | V |
| Code-Evaluation | V | V |
| Contributors | V | V |
| Harmful-Workflow | V | V |
| Dependency-Replace-Instrument | V | V |
| Maintained | V | V |
| Pinned-Dependencies | V | V |
| SAST | V | V |
| Token-Permissions | V | V |
| Vulnerabilities | V | V |
| Webhooks | V | V |
Insurance policies
legitify comes with a set of insurance policies within the insurance policies/github listing. These insurance policies are documented right here.
As well as, you should use the --policies-path (-p) flag to specify a customized listing for OPA insurance policies.
Contribution
Thanks for contemplating contributing to Legitify! We encourage and recognize any sort of contribution. Listed here are some assets that can assist you get began:
