How scanning GitHub will help safe the open-source software program provide chain

Provide chain safety assaults have modified cybersecurity ceaselessly. Ever since President Biden launched his Government Order on Enhancing the Nation’s Cybersecurity following the Log4j and SolarWinds breach debacles, open-source safety has been a high precedence for organizations.

In actual fact, analysis exhibits that 73% of organizations have adopted measures to safe their software program provide chains.

Persevering with this development, SaaS safety supplier Legit Safety in the present day introduced the launch of Legitify, a brand new open-source safety device designed to assist enterprises safe their GitHub implementations. The answer will allow safety and devops groups to scan GitHub configurations at scale and make sure the integrity of open-source software program. 

GitHub helps over 1.5 million organizations and performs an integral function in lots of organizations’ software program provide chains as a source-code administration (SCM) answer for storing code updates and figuring out points. 

Securing GitHub in opposition to the open-source onslaught

It’s no secret that vulnerabilities in open-source tasks could be devastating. As an illustration, the distant exploitation exploit Log4j was used as a part of over 840,000 assaults inside 72 hours of discovery. 

Legit Safety believes that securing GitHub is essential to securing the open-source software program provide chain, as exploits present a method to switch supply code, harvest secrets and techniques and provoke a provide chain assault. 

As an illustration, not too long ago the group disclosed assault vulnerabilities in open-source tasks from Google and Apache, together with a “GitHub setting injection” throughout the Google Firebase mission that allows an attacker to take management of a mission’s GitHub Actions CI/CD pipeline and modify the underlying supply code.

GitHub occupies a novel place within the open-source ecosystem as a result of, though it’s broadly used, it’s usually tough to safe GitHub implementations as a result of it’s time-consuming to find misconfigurations for every repository. 

“It’s tough and time-consuming to persistently implement safety throughout massive GitHub implementations, and GitHub misconfigurations are a quite common supply of vulnerabilities. Totally different people usually deploy GitHub situations with totally different configurations and settings,” stated Legit Safety cofounder and CTO Liav Caspi. 

“Nevertheless, manually imposing consistency throughout massive GitHub organizations may be very labor-intensive and susceptible to human error. Legitify addresses this by permitting safety groups and devops engineers to handle and implement their GitHub configurations in a safe and scalable means,” Caspi stated. 

Legitify solutions these challenges by enabling customers to scan GitHub implementations by a selected occasion, useful resource sort or complete group through the command line to allow them to detect safety points, categorize their severity and evaluate remediation steps.

Different GitHub scanning options 

It’s vital to notice that Legit Safety’s answer isn’t the one device able to scanning the safety of GitHub code. GitHub Code Scanning, launched in 2020, is a local answer that integrates with GitHub Actions to scan code because it’s developed and supplies customers with safety opinions to determine vulnerabilities. 

One other device providing this functionality is SonarQube GitHub Motion, which permits the consumer to make use of a SonarQube scanner to detect bugs and vulnerabilities in code in over 20 programming languages. SonarQube’s dad or mum firm, SonarSource, raised $412 million in funding earlier this yr to scan codebases for vulnerabilities. 

“Legitify is a novel open-source safety device designed for giant enterprise deployments of GitHub. Legitify connects to GitHub through an entry token and detects points throughout 4 useful resource sorts: member, repository, actions and group,” Caspi stated.