Legitify detects and remediates misconfigurations and security risks across GitHub and GitLab assets to strengthen source-code management security posture.
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Legitify is used by security teams and DevOps engineers to continuously audit and assess compliance and security risks in their GitHub and GitLab repositories. It automates detection of misconfigurations and policy violations, enabling organizations to enforce governance and reduce risk in their software supply chain.
Legitify includes SLSA Level 3 provenance documents from version 0.1.6 onwards to enhance supply chain security verification. It is recommended to use a personal access token with appropriate permissions when integrating with GitHub Actions. The tool supports multiple installation methods, allowing flexible integration into existing CI/CD pipelines.
Install on macOS or Linux using Homebrew: brew install legitify
Download latest release from https://github.com/Legit-Labs/legitify/releases
Clone the repository and run from source: git clone git@github.com:Legit-Labs/legitify.git
Run analysis with: go run main.go analyze ...
Install as GitHub CLI extension: gh extension install legit-labs/gh-legitifygh legitify
Run legitify as a GitHub CLI extension to analyze repositories
go run main.go analyze ...
Run legitify analysis from source code
uses: Legit-Labs/legitify@main
Use legitify as a custom GitHub Action in CI workflows
ignore-policies: | non_admins_can_create_public_repositories requires_status_checks
Configure the GitHub Action to ignore specific policies during analysis