Strengthen the security posture of your GitHub organization!
Detect and remediate misconfigurations, security and compliance issues across all your GitHub assets with ease
Installation
- You can download the latest legitify release from https://github.com/Legit-Labs/legitify/releases, each archive contains:
- Legitify binary for the desired platform
- Built-in policies provided by Legit Security
- From source with the following steps:
Provenance
To enhance the software supply chain security of legitify’s users, as of v0.1.6, every legitify release contains a SLSA Level 3 Provenacne document.
The provenance document refers to all artifacts in the release, as well as the generated docker image.
You can use SLSA framework’s official verifier to verify the provenance.
Example of usage for the darwin_arm64 architecture for the v0.1.6 release:
VERSION=0.1.6
ARCH=darwin_arm64
./slsa-verifier verify-artifact --source-branch main --builder-id 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/[email protected]/tags/v1.2.2' --source-uri "git+https://github.com/Legit-Labs/legitify" --provenance-path multiple.intoto.jsonl ./legitify_${VERSION}_${ARCH}.tar.gz
Requirements
- To get the most out of legitify, you need to be an owner of at least one GitHub organization. Otherwise, you can still use the tool if you’re an admin of at least one repository inside an organization, in which case you’ll be able to see only repository-related policies results.
- legitify requires a GitHub personal access token (PAT) to analyze your resources successfully, which can be either provided as an argument (
-t
) or as an environment variable ($GITHUB_ENV
). The PAT needs the following scopes for full analysis:
admin:org, read:enterprise, admin:org_hook, read:org, repo, read:repo_hook
See Creating a Personal Access Token for more information.
Fine-grained personal access tokens are currently not supported because they do not support GitHub’s GraphQL (https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/)
Usage
LEGITIFY_TOKEN=<your_token> legitify analyze
By default, legitify will check the policies against all your resources (organizations, repositories, members, actions).
You can control which resources will be analyzed with command-line flags namespace and org:
--namespace (-n)
: will analyze policies that relate to the specified resources--org
: will limit the analysis to the specified organizations
LEGITIFY_TOKEN=<your_token> legitify analyze --org org1,org2 --namespace organization,member
The above command will test organization and member policies against org1 and org2.
GitHub Enterprise Support
You can run legitify against a GitHub Enterprise instance if you set the endpoint URL in the environment variable SERVER_URL
:
<div class="highlight highlight-source-shell notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="export SERVER_URL="https://github.example.com/" LEGITIFY_TOKEN= legitify analyze –org org1,org2 –namespace organization,member” dir=”auto”>
export SERVER_URL="https://github.example.com/"
LEGITIFY_TOKEN=<your_token> legitify analyze --org org1,org2 --namespace organization,member