{"id":13645920,"url":"https://github.com/legit-labs/legitify","last_synced_at":"2025-05-15T02:07:35.538Z","repository":{"id":45666544,"uuid":"513947555","full_name":"Legit-Labs/legitify","owner":"Legit-Labs","description":"Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets","archived":false,"fork":false,"pushed_at":"2025-03-28T22:50:27.000Z","size":4494,"stargazers_count":802,"open_issues_count":16,"forks_count":64,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-05-08T20:44:13.859Z","etag":null,"topics":["ci","devops","devsecops","github","gitlab","golang","sdlc-security","security","security-scanner","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://legitify.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Legit-Labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-07-14T15:10:54.000Z","updated_at":"2025-05-05T22:01:49.000Z","dependencies_parsed_at":"2023-09-26T16:57:06.744Z","dependency_job_id":"4ae4bf40-f7f8-4ca9-b565-fb021484fa86","html_url":"https://github.com/Legit-Labs/legitify","commit_stats":{"total_commits":238,"total_committers":30,"mean_commits":7.933333333333334,"dds":0.6596638655462185,"last_synced_commit":"038aa49473a6974a3ef79f6c76b949b689d23282"},"previous_names":[],"tags_count":34,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Legit-Labs%2Flegitify","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Legit-Labs%2Flegitify/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Legit-Labs%2Flegitify/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Legit-Labs%2Flegitify/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Legit-Labs","download_url":"https://codeload.github.com/Legit-Labs/legitify/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254259383,"owners_count":22040820,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci","devops","devsecops","github","gitlab","golang","sdlc-security","security","security-scanner","supply-chain-security"],"created_at":"2024-08-02T01:02:45.009Z","updated_at":"2025-05-15T02:07:30.530Z","avatar_url":"https://github.com/Legit-Labs.png","language":"Go","funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n \n[![Build \u0026 Test](https://github.com/Legit-Labs/legitify/actions/workflows/build_and_test.yaml/badge.svg)](https://github.com/Legit-Labs/legitify/actions/workflows/build_and_test.yaml)\n[![Code Analysis](https://github.com/Legit-Labs/legitify/actions/workflows/code_analysis.yaml/badge.svg)](https://github.com/Legit-Labs/legitify/actions/workflows/code_analysis.yaml)\n[![Version Releaser](https://github.com/Legit-Labs/legitify/actions/workflows/release.yaml/badge.svg)](https://github.com/Legit-Labs/legitify/actions/workflows/release.yaml)\n[![Build Docs](https://github.com/Legit-Labs/legitify/actions/workflows/build_docs.yaml/badge.svg)](https://github.com/Legit-Labs/legitify/actions/workflows/build_docs.yaml)\n[![Go Report Card](https://goreportcard.com/badge/github.com/Legit-Labs/legitify)](https://goreportcard.com/report/github.com/Legit-Labs/legitify)\n\u003cimg referrerpolicy=\"no-referrer-when-downgrade\" src=\"https://static.scarf.sh/a.png?x-pxid=6f4cbb25-54f4-4c47-b611-9b741732bb86\" /\u003e\n\u003cbr/\u003e\n \u003cimg width=\"250\" alt=\"Legitify Logo\" src=\"https://user-images.githubusercontent.com/74864790/174815311-746a0c98-9a1f-44a9-808c-035788edfd4d.png\"\u003e\n\nStrengthen the security posture of your source-code management! \u003cbr/\u003e\nDetect and remediate misconfigurations, security and compliance issues across all your GitHub and GitLab assets with ease 🔥 \u003cbr/\u003e\nby [Legit Security](https://www.legitsecurity.com/).\n\n\u003cb\u003e\nWonder what Legit Security does?\n\u003c/b\u003e\n\nLegit Security is an application security posture management (ASPM) and software supply chain security solution.\u003cbr/\u003e\nFor more information check out the [comparison table](#legitify-vs-the-legit-security-platform)\n\n\u003c/div\u003e\n\n\nhttps://user-images.githubusercontent.com/107790206/210602039-2d022692-87ea-4005-b9c6-f091158de3ce.mov\n\n## Installation\n\nInstallation is possible in several ways:\n\n- For macOS (or linux) using homebrew:\n\n```\nbrew install legitify\n```\n\n- You can download the latest legitify release from https://github.com/Legit-Labs/legitify/releases, each archive contains:\n\n  - Legitify binary for the desired platform\n  - Built-in policies provided by Legit Security\n\n- From source with the following steps:\n\n```\ngit clone git@github.com:Legit-Labs/legitify.git\ngo run main.go analyze ...\n```\n\n- As a GitHub CLI extension (check out https://github.com/Legit-Labs/gh-legitify for more information)\n\n```\ngh extension install legit-labs/gh-legitify\ngh legitify\n```\n\n## CI - Legitify Custom GitHub Action\n\nYou can run legitify as part of a CI process with the legitify Custom GitHub Actions:\n\n```\nname: Legitify Analyze\non:\n    workflow_dispatch:\n    schedule:\n      - cron: '0 11 * * 1-5'\n\njobs:\n  analyze:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Legitify Action\n        uses: Legit-Labs/legitify@main\n        with:\n          github_token: ${{ secrets.PAT_FOR_LEGITIFY }}\n          ignore-policies: |\n             non_admins_can_create_public_repositories\n             requires_status_checks\n```\n\nCheckout the [action file](https://github.com/Legit-Labs/legitify/blob/main/action.yml) for additional parameters\nand configuration.\n\n## Provenance\n\nTo enhance the software supply chain security of legitify's users, as of v0.1.6, every legitify release contains a [SLSA Level 3 Provenance](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) document.  \nThe provenance document refers to all artifacts in the release, as well as the generated docker image.  \nYou can use [SLSA framework's official verifier](https://github.com/slsa-framework/slsa-verifier) to verify the provenance.  \nExample of usage for the darwin_arm64 architecture for the v0.1.6 release:\n\n```\nVERSION=0.1.6\nARCH=darwin_arm64\n./slsa-verifier verify-artifact --source-branch main --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2' --source-uri \"git+https://github.com/Legit-Labs/legitify\" --provenance-path multiple.intoto.jsonl ./legitify_${VERSION}_${ARCH}.tar.gz\n```\n\n## Commands\n\n### analyze\n\n```\nSCM_TOKEN=\u003cyour_token\u003e legitify analyze\n```\n\nBy default, legitify will check the policies against all your resources (organizations, repositories, members, actions). Archived repositories are skipped.\n\nYou can control which resources will be analyzed with command-line flags namespace and org:\n\n- `--namespace (-n)`: will analyze policies that relate to the specified resources\n- `--org`: will limit the analysis to the specified GitHub organizations or GitLab group, excluding archived repositories\n- `--repo`: will limit the analysis to the specified GitHub repositories or GitLab projects\n- `--scm`: specify the source code management platform. Possible values are: `github` or `gitlab`. Defaults to `github`. Please note: when running on GitLab, `--scm gitlab` is required.\n- `--enterprise`: will specify which enterprises should be analyzed. Please note: in order to analyze an enterprise, an enterprise slug must be provided.\n\n```\nSCM_TOKEN=\u003cyour_token\u003e legitify analyze --org org1,org2 --namespace organization,member\n```\n\nThe above command will test organization and member policies against org1 and org2.\n\n### gpt-analysis\n\n```\nSCM_TOKEN=\u003cyour_token\u003e OPENAI_TOKEN=\u003ctoken\u003e ./legitify gpt-analysis --repo org1/repo1 --org org1\n```\n\nGPT-3 based analysis of the security posture of the provided repository or organization.\n\n**NOTE: The repository/organization metadata is sent to openai servers.**\n\nFlags:\n\n- `--org`: will limit the analysis to the specified GitHub organizations or GitLab group\n- `--repo`: will limit the analysis to the specified GitHub repositories or GitLab projects\n- `--scm`: specify the source code management platform. Possible values are: `github` or `gitlab`. Defaults to `github`.\n- `--token`: token for the SCM (or set the SCM_TOKEN environment variable)\n- `--openai-token`: token for openai API (or set OPENAI_TOKEN environment variable)\n\nMust provide either `--org` or `--repo` or both.\n\nGenerating openai token:\n\n1. Go to https://beta.openai.com/signup and create an openai account\n2. Under https://platform.openai.com/account/api-keys press \"Create new secret key\"\n\n## GitHub Action Usage\n\nYou can also run legitify as a GitHub action in your workflows, see the **action_examples** directory for concrete examples.\n\n## Requirements\n\n### GitHub (Cloud and Enterprise Server)\n\n1. To get the most out of legitify, you need to be an owner of at least one GitHub organization. Otherwise, you can still use the tool if you're an admin of at least one repository inside an organization, in which case you'll be able to see only repository-related policies results.\n2. legitify requires a GitHub personal access token (PAT) to analyze your resources successfully, which can be either provided as an argument (`-t`) or as an environment variable (`SCM_TOKEN`).\n   The PAT needs the following scopes for full analysis:\n\n```\nadmin:org, read:enterprise, admin:org_hook, read:org, repo, read:repo_hook\n```\n\nSee [Creating a Personal Access Token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) for more information.  \nFine-grained personal access tokens are currently not supported.\n\n### GitHub Enterprise Server\n\nYou can run legitify against a GitHub Enterprise Server instance if you set the endpoint URL in the environment variable `SERVER_URL`:\n\n```sh\nexport SERVER_URL=\"https://github.example.com/\"\nSCM_TOKEN=\u003cyour_token\u003e legitify analyze --org org1,org2 --namespace organization,member\n```\n\n### GitLab Cloud/Server\n\n1. As mentioned in the previous section, you need to be an owner of at least one GitLab group. Otherwise, you can still use the tool if you're an admin of at least one project inside a group, in which case you'll be able to see only project-related policies results.\n2. legitify requires a GitLab personal access token (PAT) to analyze your resources successfully, which can be either provided as an argument (`-t`) or as an environment variable (`SCM_TOKEN`).\n   The PAT needs the following scopes for full analysis:\n   `   read_api, read_user, read_repository, read_registry`\n   See [Creating a Personal Access Token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) for more information.  \n   To run legitify against GitLab Cloud set the scm flag to gitlab `--scm gitlab`, to run against GitLab Server you need to provide also a SERVER_URL:\n\n```sh\nexport SERVER_URL=\"https://gitlab.example.com/\"\nSCM_TOKEN=\u003cyour_token\u003e legitify analyze --namespace organization --scm gitlab\n```\n\n\u003e **_NOTE 1:_** To ignore invalid server certificate, please pass the `ignore-invalid-certificate` flag\n\n\u003e **_NOTE 2:_** For non-premium GitLab accounts some policies (such as branch protection policies) will be skipped\n\n## Namespaces\n\nNamespaces in legitify are resources that are collected and run against the policies.\nCurrently, the following namespaces are supported:\n\n1. `organization` - GitHub organization (or GitLab group) level policies (e.g., \"Two-Factor Authentication Is Not Enforced for the Organization\")\n2. `actions` - organization GitHub Actions policies (e.g., \"GitHub Actions Runs Are Not Limited To Verified Actions\")\n3. `member` - contributor level policies (e.g., \"Stale Admin Found\")\n4. `repository` - GitHub repository (or GitLab Project) level policies (e.g., \"Code Review By At Least Two Reviewers Is Not Enforced\"). Note: Archived repositories are ignored unless specified directly via the `--repo` argument.\n5. `runner_group` - runner group policies (e.g, \"runner can be used by public repositories\")\n\nBy default, legitify will analyze all namespaces. You can limit only to selected ones with the `--namespace` flag, and then a comma separated list of the selected namespaces.\n\n## Output Options\n\nBy default, legitify will output the results in a human-readable format.\nThis includes the list of policy violations listed by severity,\nas well as a summary table that is sorted by namespace.\n\n### Output Formats\n\nUsing the `--output-format (-f)` flag, legitify supports outputting the results in the following formats:\n\n1. `human-readable` - Human-readable text (default).\n2. `json` - Standard JSON.\n3. `sarif` - SARIF format ([info](https://sarifweb.azurewebsites.net/)).\n\n### Output Schemes\n\nUsing the `--output-scheme` flag, legitify supports outputting the results in different grouping schemes.\nNote: `--output-format=json` must be specified to output non-default schemes.\n\n1. `flattened` - No grouping; A flat listing of the policies, each with its violations (default).\n2. `group-by-namespace` - Group the policies by their namespace.\n3. `group-by-resource` - Group the policies by their resource e.g. specific organization/repository.\n4. `group-by-severity` - Group the policies by their severity.\n\n### Output Destinations\n\n- `--output-file` - full path of the output file (default: no output file, prints to stdout).\n- `--error-file` - full path of the error logs (default: ./error.log).\n\n### Coloring\n\nWhen outputting in a human-readable format, legitify support the conventional `--color[=when]` flag, which has the following options:\n\n- `auto` - colored output if stdout is a terminal, uncolored otherwise (default).\n- `always` - colored output regardless of the output destination.\n- `none` - uncolored output regardless of the output destination.\n\n### Misc\n\n- Use the `--failed-only` flag to filter-out passed/skipped checks from the result.\n- Use the `--ignore-policies-path $PATH` and provide a file with the policies you want to ignore to skip specific policies.\n  One policy per line, e.g.\n  `no_conversation_resolution\nrequires_status_checks                                                     ─╯`\n\n## Scorecard Support - Only for GitHub server/cloud repositories\n\n[Scorecard](https://github.com/ossf/scorecard) is an OSSF's open-source project:\n\n\u003e Scorecards is an automated tool that assesses a number of important heuristics (\"checks\") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project. You can also assess the risks that dependencies introduce, and make informed decisions about accepting these risks, evaluating alternative solutions, or working with the maintainers to make improvements.\n\nlegitify supports running scorecard for all of the organization's repositories, enforcing score policies and showing the results using the `--scorecard` flag:\n\n- `no` - do not run scorecard (default).\n- `yes` - run scorecard and employ a policy that alerts on each repo score below 7.0.\n- `verbose` - run scorecard, employ a policy that alerts on each repo score below 7.0, and embed its output to legitify's output.\n\nlegitify runs the following scorecard checks:\n|Check|Public Repository|Private Repository|\n|--|--|--|\n|Security-Policy|V||\n|CII-Best-Practices|V||\n|Fuzzing|V||\n|License|V||\n|Signed-Releases|V||\n|Branch-Protection|V|V|\n|Code-Review|V|V|\n|Contributors|V|V|\n|Dangerous-Workflow|V|V|\n|Dependency-Update-Tool|V|V|\n|Maintained|V|V|\n|Pinned-Dependencies|V|V|\n|SAST|V|V|\n|Token-Permissions|V|V|\n|Vulnerabilities|V|V|\n|Webhooks|V|V|\n\n## Policies\n\nlegitify comes with a set of policies for each SCM in the `policies/` directory.\n\nThese policies are documented [here](https://legitify.dev).\n\n## Contribution\n\nThank you for considering contributing to Legitify! We encourage and appreciate any kind of contribution.\nHere are some resources to help you get started:\n\n- [Contribution Guide](https://github.com/Legit-Labs/legitify/blob/main/CONTRIBUTING.md)\n- [Code of Conduct](https://github.com/Legit-Labs/legitify/blob/main/CODE_OF_CONDUCT.md)\n- [Open an Issue](https://github.com/Legit-Labs/legitify/issues/new/choose)\n- [Open a Pull Request](https://github.com/Legit-Labs/legitify/compare)\n\n## Support\n\nIf you have questions about legitify or need any assistance with its operation, don't hesitate to [reach out](mailto:legitify@legitsecurity.com). Our team is committed to providing support and ensuring a smooth experience.\n\n## Legitify vs. the Legit Security platform\n\nIf you liked Legitify, you are going to love the Legit Security Platform!\n\n- It automates Legitify checks for the entire environments, discovers more systems and shows all results in a simple web app to manage at scale.\n- Legit security is a complete CI/CD security solution together with Application Security Posture Management (ASPM) that covers application security end-to-end.\n- It is a SaaS platform, built for engineering, DevOps and security teams and trusted by many leading organizaitons around the world.\n\nBelow is a comfeature parison between Legitify and Legit:\n\n| **Capability** | **Legitify** | **Legit Security Platform** |\n|---|---|---|\n| Supported platforms | GitHub \u003cbr\u003e GitLab | ALL major SCMs (incl. Azure DevOps, Bitbucket and more)\u003cbr\u003e CI/CD systems (e.g. Jenkins) \u003cbr\u003e Package registries (e.g. JFrog Artifactory)\u003cbr\u003eCloud providers (e.g. AWS) |\n| Risk detection | SCM Misconfigurations only | SCMs Misconfigurations \u003cbr\u003e CI Misconfigurations \u003cbr\u003e CD Misconfigurations \u003cbr\u003e Package Registries Misconfigurations \u003cbr\u003e Pipeline risks \u003cbr\u003e Secrets \u003cbr\u003e IaC \u003cbr\u003e Security Incidents \u003cbr\u003e And more... |\n| Compliance report | [OSSF SCM Best Practices](https://best.openssf.org/SCM-BestPractices/) | SSDF \u003cbr\u003e SLSA \u003cbr\u003e SOC2 \u003cbr\u003e ISO 27001 \u003cbr\u003e FedRAMP \u003cbr\u003e And more... |\n| Policy drifts detection | Can be detected periodically though Legitify's GitHub Action | Get real-time alerts when a misconfiguration is introduced |\n| SDLC assets management | - | Yes |\n| Issue \u0026 policy management | - | Yes |\n| Code To Cloud context | - | Yes (contextualized information enables smarter prioritization) |\n| Workspaces \u0026 product groups | - | Yes |\n| Ticketing \u0026 alerting | - | Jira, Slack, and more |\n| Ingest risk | - | Import APIs and integrations with SAST, SCA and other testing solutions |\n| Rest APIs | - | Yes |\n\nTo check out Legit, visit our [website](https://www.legitsecurity.com/) or directly [book a demo](https://info.legitsecurity.com/book-a-demo)\n\n\u003cdiv align=\"center\"\u003e\n \u003ca href=\"https://www.legitsecurity.com\"\u003e\n  \u003cimg width=\"250\" alt=\"Legitify Logo\" src=\"https://github.com/Legit-Labs/legitify/assets/74864790/c76dc765-e8fd-498e-ab92-1228eb5a1f2d\"\u003e\n \u003c/a\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flegit-labs%2Flegitify","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flegit-labs%2Flegitify","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flegit-labs%2Flegitify/lists"}