How scanning GitHub can help secure the open-source software supply chain

Supply chain security attacks have changed cybersecurity forever. Ever since President Biden released his Executive Order on Improving the Nation’s Cybersecurity following the Log4j and SolarWinds breach debacles, open-source security has been a top priority for organizations.

In fact, research shows that 73% of organizations have adopted measures to secure their software supply chains.

Continuing this trend, SaaS security provider Legit Security today announced the launch of Legitify, a new open-source security tool designed to help enterprises secure their GitHub implementations. The solution will enable security and devops teams to scan GitHub configurations at scale and ensure the integrity of open-source software. 

GitHub supports over 1.5 million organizations and plays an integral role in many organizations’ software supply chains as a source-code management (SCM) solution for storing code updates and identifying issues. 

Securing GitHub against the open-source onslaught

It’s no secret that vulnerabilities in open-source projects can be devastating. For instance, the remote exploitation exploit Log4j was used as part of over 840,000 attacks within 72 hours of discovery. 

Legit Security believes that securing GitHub is key to securing the open-source software supply chain, as exploits provide a means to modify source code, harvest secrets and initiate a supply chain attack. 

For instance, recently the organization disclosed attack vulnerabilities in open-source projects from Google and Apache, including a “GitHub environment injection” within the Google Firebase project that enables an attacker to take control of a project’s GitHub Actions CI/CD pipeline and modify the underlying source code.

GitHub occupies a unique place in the open-source ecosystem because, although it’s widely used, it’s often difficult to secure GitHub implementations because it’s time-consuming to discover misconfigurations for each repository. 

“It’s difficult and time-consuming to consistently enforce security across large GitHub implementations, and GitHub misconfigurations are a very common source of vulnerabilities. Different individuals often deploy GitHub instances with different configurations and settings,” said Legit Security cofounder and CTO Liav Caspi. 

“However, manually enforcing consistency across large GitHub organizations is very labor-intensive and prone to human error. Legitify addresses this by allowing security teams and devops engineers to manage and enforce their GitHub configurations in a secure and scalable way,” Caspi said. 

Legitify answers these challenges by enabling users to scan GitHub implementations by a specific instance, resource type or entire organization via the command line so they can detect security issues, categorize their severity and review remediation steps.

Other GitHub scanning solutions 

It’s important to note that Legit Security’s solution isn’t the only tool capable of scanning the security of GitHub code. GitHub Code Scanning, released in 2020, is a native solution that integrates with GitHub Actions to scan code as it’s developed and provides users with security reviews to identify vulnerabilities. 

Another tool offering this capability is SonarQube GitHub Action, which allows the user to employ a SonarQube scanner to detect bugs and vulnerabilities in code in over 20 programming languages. SonarQube’s parent company, SonarSource, raised $412 million in funding earlier this year to scan codebases for vulnerabilities. 

“Legitify is a unique open-source security tool designed for large enterprise deployments of GitHub. Legitify connects to GitHub via an access token and detects issues across four resource types: member, repository, actions and organization,” Caspi said.