Legitify is an open-source tool designed to detect and remediate misconfigurations and security risks across GitHub and GitLab assets. It targets developers, security engineers, and DevOps teams seeking to strengthen their software supply chain security and application security posture management (ASPM). The tool provides automated checks against a comprehensive set of policies, offering actionable insights for improving security configurations.

How It Works

Legitify operates by analyzing configurations of GitHub and GitLab organizations, repositories, members, and actions against a predefined set of security and compliance policies. It leverages the GitHub and GitLab APIs to fetch relevant data and then evaluates it against these policies. The tool supports custom policy definitions and integrates with Scorecard for additional security assessments, providing detailed reports in various formats like JSON and SARIF.

Quick Start & Requirements

• Installation: brew install legitify (macOS/Linux), download releases from GitHub, or build from source. Can also be used as a GitHub CLI extension (gh extension install legit-labs/gh-legitify).
• Requirements: GitHub or GitLab account with owner/admin privileges. A Personal Access Token (PAT) for the respective platform with specific scopes (e.g., admin:org, repo for GitHub; read_api, read_repository for GitLab). Fine-grained GitHub PATs are not supported.
• Setup: Minimal setup if using Homebrew. Building from source requires Go. Running requires PATs.
• Documentation: Comparison table

Highlighted Details

• Detects misconfigurations and security risks across GitHub and GitLab.
• Supports analysis of organizations, repositories, members, actions, and runner groups.
• Offers multiple output formats (human-readable, JSON, SARIF) and output schemes (flattened, group-by-namespace, etc.).
• Integrates with OSSF Scorecard for enhanced repository security assessment.
• Provides SLSA Level 3 Provenance for releases to enhance supply chain security.

Maintenance & Community

The project is maintained by Legit Security. The README encourages contributions and provides links to a Contribution Guide, Code of Conduct, and issue/pull request processes. Support is available via the project's channels.

Licensing & Compatibility

The project appears to be licensed under the Apache License 2.0. The README does not mention specific restrictions for commercial use or closed-source linking.

Limitations & Caveats

For non-premium GitLab accounts, certain policies (like branch protection) may be skipped. The gpt-analysis command sends repository/organization metadata to OpenAI servers. Archived repositories are skipped by default unless explicitly targeted.