How to Use Legitify to Detect Misconfigurations

yayabobi - Aug 15 - - Dev Community

Are you sure your GitHub repository is the secure hub you think it is? Are you using branch protection properly? Do you have dormant users? You might have these misconfiguration issues and not even know it. Misconfigurations in GitHub and GitLab repositories are alarmingly common -- with at least 211 million public repositories hosted on GitHub, bad actors know they won't leave this platform empty-handed.

In 2023, 12.8 million authentication and sensitive secrets were exposed across 3 million public repositories. Even more shocking, only 1.8% of these users responded promptly to rectify the issue. These secrets included passwords, certificates, and API keys and remained viable for at least five days -- more than enough time for bad actors to get hold of them.

Robust security measures against such exposures are a must. Tools like Legitify are designed to help you detect and fix these misconfigurations, ensuring your repositories follow best security practices and become more resilient to cyber-attacks.  

What is Legitify?

Legitify is an open-source security tool designed to enforce and scale secure GitHub configurations. It scans your repositories and detects misconfigurations such as overly broad access permissions, lack of security policies, secrets exposure, or vulnerable dependencies in your repositories. 

With automated checks for common issues, Legitify fits into your continuous security plan and DevSecOps processes, helping you catch potential vulnerabilities in the early stages of the SDLC. Continuous monitoring enables you to manage your attack surface effectively, while policy enforcement ensures compliance across your organization, from enforcing two-factor authentication to managing external integrations.

a diagram of a gift configurary

Common GitHub Misconfigurations Legitify Can Discover

Unmaintained Dependencies 

Using outdated or unmaintained dependencies can introduce security vulnerabilities and stability issues to your project. Legitify scans your repositories to detect dependencies that are no longer maintained or have known vulnerabilities. For example, if your project has a dependency that has not been updated in two years, Legitify will flag it. You can then find a more secure dependency that is actively maintained.

a screenshot of a screen shot of a web page

Insecure Repository Permissions

If your permissions are too broad, there's a higher chance that users may abuse their powers (intentionally or not). External bad actors can also use an overly privileged account to enter your systems, access sensitive data, or insert malicious code. Legitify audits your settings to ensure only the right people can access your repositories, keeping your codebase secure.

Branch Protection Rule Violations 

Without enforced rules, unauthorized changes can slip into your main branches, compromising your project's integrity. Legitify helps enforce these rules so that only approved code gets merged. It checks for required status checks before merging, mandatory pull request reviews, and restrictions on who can push to the branch, thus safeguarding your codebase.

a diagram of a flow of water and a flow of water

Unrestricted Workflow Permissions 

Workflows with excessive permissions can lead to unauthorized access and code execution within your GitHub repositories and broader internal developer platform. Legitify checks and restrict workflow permissions---they are only provided the permissions they need to function---which prevents malicious actions that could compromise your project.

a screenshot of a web page with a question box highlighted

Security Risks of GitHub Misconfigurations

Unauthorized Access

Misconfigured repository permissions can allow unauthorized users to infiltrate your codebase. This access can lead to malicious actors stealing sensitive information, tampering with your code, or even deleting critical repositories, putting your entire project at risk.

Code Injection and Modification

Without proper branch protection and security policies, bad actors can make unauthorized changes to your codebase. They can then introduce malicious code, create backdoors, or install malware to compromise your applications. 

Data Leaks

Misconfigurations that expose sensitive information---such as personal data, proprietary code, or business secrets---can lead to significant data leaks. These leaks can damage your company's reputation and result in financial losses and legal ramifications.

Supply Chain Attacks

Attackers frequently target software supply chains by compromising dependencies or injecting malicious code into repositories. Misconfigured repositories make it easier for these threats to infiltrate and potentially affect your application, users, and partners. Without 360-degree asset visibility, spotting these gaps on your attack surface can be challenging.  

a diagram of supply chain attack anatomy

Regulatory Non-Compliance

Failure to adhere to security standards and regulations due to misconfigurations can lead to non-compliance with laws like GDPR, HIPAA, or PCI-DSS. This oversight can result in hefty fines, legal actions, and a loss of trust from customers and stakeholders.

How to Use Legitify to Detect Misconfigurations

As a complete DevOps toolchain, Jit allows for the seamless integration and management of Legitify to detect and remediate misconfigurations within your GitHub repositories. Its out-of-the-box Security Plans are simple to implement and encompass best practices and strategies to safeguard and manage the various components of your tech stack, including GitHub itself. Here's a step-by-step guide on how to use Legitify, both with and without Jit:

Step 1: Installing Legitify

You can install Legitify directly without any prerequisites using Homebrew for macOS or Linux. 

Alternatively, you can install Legitify for source or through a GitHub CLI extension. With these methods, you need to first check that you have Go installed on your system. If not, download and install it from the official Go website. 

For macOS (or Linux) using Homebrew:

brew install legitify
Enter fullscreen mode Exit fullscreen mode

From Source:

git clone
git@github.com
:Legit-Labs/legitify.git
cd legitify
go run main.go analyze ...
Enter fullscreen mode Exit fullscreen mode

As a GitHub CLI Extension:

gh extension install legit-labs/gh-legitify
gh legitify
Enter fullscreen mode Exit fullscreen mode

Step 2: Setting Up Authentication

Legitify needs to authenticate with your GitHub account to access your repositories. With Jit, this process is simplified through a Generate PAT button in the Integration window. This feature selects the required permissions for you automatically. You just need to select the expiry date for the token and click Create.

a screenshot of a computer screen with a text description

For manual setup through GitHub, go to your account and generate a Personal Access Token (PAT) with the required permissions:

 

- admin:org
- read:enterprise
- admin:org_hook
- read:org
- repo
- read:repo_hook
Enter fullscreen mode Exit fullscreen mode

Copy the generated PAT.

If your organization uses SSO, authorize the new token by clicking "Configure SSd then "Authorize" next to your organization's name.

To configure Legitify within Jit, locate the Legitify tile on the Integrations page. Then select Connect and provide the copied PAT. If you are not using Jit, you will use this token in the next step.

Step 3: Executing Legitify

Once Legitify has been connected as an integration through Jit, you can select the GitHub Security Plan and activate the following plan items:

  • Legitify Branch Protection
  • Legitify External Protection
  • Legitify Access Management

a screenshot of a dashboard showing the different settings

Jit then runs the GitHub Misconfiguration Scanner on a regular schedule. No additional scheduling, management, or configuration is required on your part.

If you are using Legitify without Jit, you will need to run the following command, subbing your PAT for every time you want Legitify to analyze your organization's repositories for misconfigurations:

SCM_TOKEN=<your_token> legitify analyze
Enter fullscreen mode Exit fullscreen mode

Step 4: Reviewing Findings

Legitify provides a comprehensive report of detected misconfigurations in a human-readable format. When integrated with Jit, these findings are automatically added to the Backlog page for your review. The Backlog is a collection of all your organization's security findings that can be easily searched.

a screenshot of a dashboard showing the different settings

Moving Towards a Secure Development Environment

Keeping your GitHub configurations secure is vital for a safe development environment, and security tools like Legitify make spotting and fixing harmful misconfigurations easier than ever. 

By automating regular scans with Legitify, you can reduce the risks of misconfigurations, guaranteeing that your development process stays strong and secure. And that's just the beginning. Jit offers a comprehensive and tailored security plan as well as integrations with various powerful security tools and controls to protect your entire environment, from development to post-deployment stages. Explore more here.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .