How scanning GitHub might help safe the open-source software program provide chain

Provide chain safety assaults have modified cybersecurity eternally. Ever since President Biden launched his Govt Order on Enhancing the Nation’s Cybersecurity following the Log4j and SolarWinds breach debacles, open-source safety has been a high precedence for organizations.

The truth is, analysis exhibits that 73% of organizations have adopted measures to safe their software program provide chains.

Persevering with this development, SaaS safety supplier Legit Safety immediately introduced the launch of Legitify, a brand new open-source safety software designed to assist enterprises safe their GitHub implementations. The answer will allow safety and devops groups to scan GitHub configurations at scale and make sure the integrity of open-source software program. 

GitHub helps over 1.5 million organizations and performs an integral position in lots of organizations’ software program provide chains as a source-code administration (SCM) answer for storing code updates and figuring out points. 

Securing GitHub towards the open-source onslaught

It’s no secret that vulnerabilities in open-source tasks will be devastating. For example, the distant exploitation exploit Log4j was used as a part of over 840,000 assaults inside 72 hours of discovery. 

Legit Safety believes that securing GitHub is vital to securing the open-source software program provide chain, as exploits present a way to change supply code, harvest secrets and techniques and provoke a provide chain assault. 

For example, lately the group disclosed assault vulnerabilities in open-source tasks from Google and Apache, together with a “GitHub setting injection” inside the Google Firebase challenge that allows an attacker to take management of a challenge’s GitHub Actions CI/CD pipeline and modify the underlying supply code.

GitHub occupies a singular place within the open-source ecosystem as a result of, though it’s extensively used, it’s typically tough to safe GitHub implementations as a result of it’s time-consuming to find misconfigurations for every repository. 

“It’s tough and time-consuming to constantly implement safety throughout massive GitHub implementations, and GitHub misconfigurations are a quite common supply of vulnerabilities. Totally different people typically deploy GitHub cases with completely different configurations and settings,” mentioned Legit Safety cofounder and CTO Liav Caspi. 

“Nonetheless, manually imposing consistency throughout massive GitHub organizations may be very labor-intensive and vulnerable to human error. Legitify addresses this by permitting safety groups and devops engineers to handle and implement their GitHub configurations in a safe and scalable method,” Caspi mentioned. 

Legitify solutions these challenges by enabling customers to scan GitHub implementations by a particular occasion, useful resource kind or complete group by way of the command line to allow them to detect safety points, categorize their severity and overview remediation steps.

Different GitHub scanning options 

It’s essential to notice that Legit Safety’s answer isn’t the one software able to scanning the safety of GitHub code. GitHub Code Scanning, launched in 2020, is a local answer that integrates with GitHub Actions to scan code because it’s developed and offers customers with safety opinions to establish vulnerabilities. 

One other software providing this functionality is SonarQube GitHub Motion, which permits the consumer to make use of a SonarQube scanner to detect bugs and vulnerabilities in code in over 20 programming languages. SonarQube’s mum or dad firm, SonarSource, raised $412 million in funding earlier this 12 months to scan codebases for vulnerabilities. 

“Legitify is a singular open-source safety software designed for big enterprise deployments of GitHub. Legitify connects to GitHub by way of an entry token and detects points throughout 4 useful resource sorts: member, repository, actions and group,” Caspi mentioned.