How scanning GitHub can help secure the open source software supply chain

Supply chain security attacks have changed cybersecurity forever. Ever since President Biden released his Executive Order on Improving the Nation’s Cybersecurity following the Log4j and SolarWinds breach debacles, open source security has remained a top priority for organizations.

In fact, research shows that 73% of organizations have adopted measures to secure their software supply chains.

Continuing with this trend, SaaS security provider Legit Security today announced the launch of Legitify, a new open-source security tool designed to help enterprises secure their GitHub implementations. The solution will enable security and DevOps teams to scan GitHub configurations at scale and ensure the integrity of open source software. 

Given that GitHub supports over 1.5 million organizations and plays an integral role in many organization’s software supply chains as a Source Code Management (SCM) solution for storing code updates and identifying issues. 

Securing GitHub against the open source onslaught

It’s no secret that vulnerabilities in open source projects can be devastating. For instance, hackers leveraged the remote exploitation exploit Log4j, was leveraged as part of over 840,000 attacks within 72 hours of discovery. 

Legit Security, believes that securing GitHub is key toward securing the open source software supply chain, as exploits provide a means to modify source code, harvest secrets and initiate a supply chain attack. 

For instance, recrntly the organization disclosed attack vulnerabilities in open-source projects from Google and Apache including a “GitHub Environment Injection” within the Google Firebase project enables an attacker to take control of a project’s GitHub Actions CI/CD pipeline and modify the underlying source code.

GitHub occupies a unique place in the open source ecosystem because although it’s widely used, it’s often difficult to secure GitHub implementations because it’s time-consuming to discover misconfigurations for each repository. 

“It’s difficult and time-consuming to consistently enforce security across large GitHub implementations, and GitHub misconfigurations are a very common source of vulnerabilities. Different individuals often deploy GitHub instances with different configurations and settings,” said co-founder and CTO of Legit Security, Liav Carpi. 

“However, manually enforcing consistency across large GitHub organizations is very labor intensive and prone to human error. Legitify addresses this by allowing security teams and DevOps engineers to manage and enforce their GitHub configurations in a secure and scalable way,” Carpi said. 

Legitify answers these challenges by enabling users to scan GitHub implementations by a specific instance, resource type or entire organization via the command line, to detect security issues, categorize their severity and review remediation steps.

Other GitHub scanning solutions 

It’s important to note that Legit Security’s solution isn’t the only tool capable of scanning the security of GitHub code. GitHub Code Scanning, released in 2020, is a native solution that integrates with GitHub Actions to scan code as its developed and provides users with security reviews to identify vulnerabilities. 

Another tool offering this capability is SonarQube GitHub Action, which enables the user to use the SonarQube scanner to detect bugs and vulnerabilities in code in over 20 programming languages. SonarQube’s parent company, SonarSource raised $412 million in funding earlier this year to scan codebases for vulnerabilities. 

“Legitify is a unique open-source security tool designed for large enterprise deployments of GitHub. Legitify connects to GitHub via an access token and detects issues across four resource types: member, repository, actions, and organization,” Carpi said.