How scanning GitHub can help secure the open-source software supply chain

Provide chain safety assaults have modified cybersecurity perpetually. Ever since President Biden launched his Government Order on Enhancing the Nation’s Cybersecurity following the Log4j and SolarWinds breach debacles, open-source safety has been a high precedence for organizations.

In actual fact, analysis reveals that 73% of organizations have adopted measures to safe their software program provide chains.

Persevering with this development, SaaS safety supplier Legit Safety at present introduced the launch of Legitify, a brand new open-source safety software designed to assist enterprises safe their GitHub implementations. The answer will allow safety and devops groups to scan GitHub configurations at scale and make sure the integrity of open-source software program. 

GitHub helps over 1.5 million organizations and performs an integral position in lots of organizations’ software program provide chains as a source-code administration (SCM) answer for storing code updates and figuring out points. 

Securing GitHub in opposition to the open-source onslaught

It’s no secret that vulnerabilities in open-source tasks might be devastating. For example, the distant exploitation exploit Log4j was used as a part of over 840,000 assaults inside 72 hours of discovery. 

Legit Safety believes that securing GitHub is essential to securing the open-source software program provide chain, as exploits present a way to change supply code, harvest secrets and techniques and provoke a provide chain assault. 

For example, not too long ago the group disclosed assault vulnerabilities in open-source tasks from Google and Apache, together with a “GitHub atmosphere injection” inside the Google Firebase mission that permits an attacker to take management of a mission’s GitHub Actions CI/CD pipeline and modify the underlying supply code.

GitHub occupies a novel place within the open-source ecosystem as a result of, though it’s extensively used, it’s typically tough to safe GitHub implementations as a result of it’s time-consuming to find misconfigurations for every repository. 

“It’s tough and time-consuming to persistently implement safety throughout giant GitHub implementations, and GitHub misconfigurations are a quite common supply of vulnerabilities. Completely different people typically deploy GitHub situations with completely different configurations and settings,” stated Legit Safety cofounder and CTO Liav Caspi. 

“Nonetheless, manually imposing consistency throughout giant GitHub organizations may be very labor-intensive and susceptible to human error. Legitify addresses this by permitting safety groups and devops engineers to handle and implement their GitHub configurations in a safe and scalable manner,” Caspi stated. 

Legitify solutions these challenges by enabling customers to scan GitHub implementations by a selected occasion, useful resource kind or complete group through the command line to allow them to detect safety points, categorize their severity and assessment remediation steps.

Different GitHub scanning options 

It’s essential to notice that Legit Safety’s answer isn’t the one software able to scanning the safety of GitHub code. GitHub Code Scanning, launched in 2020, is a local answer that integrates with GitHub Actions to scan code because it’s developed and gives customers with safety critiques to establish vulnerabilities. 

One other software providing this functionality is SonarQube GitHub Motion, which permits the person to make use of a SonarQube scanner to detect bugs and vulnerabilities in code in over 20 programming languages. SonarQube’s dad or mum firm, SonarSource, raised $412 million in funding earlier this yr to scan codebases for vulnerabilities. 

“Legitify is a novel open-source safety software designed for giant enterprise deployments of GitHub. Legitify connects to GitHub through an entry token and detects points throughout 4 useful resource varieties: member, repository, actions and group,” Caspi stated.