legit-labs / legitify Goto Github PK
View Code? Open in Web Editor NEWDetect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Home Page: https://legitify.dev
License: Apache License 2.0
Detect and remediate misconfigurations and security risks across all your GitHub and GitLab assets
Home Page: https://legitify.dev
License: Apache License 2.0
First off, fantastic tool. It's fast and I love to see something of this quality in the open source world.
However, I ran into an odd thing that could be a "bug", but is more likely a feature enhancement? Specifically, the policy title language used is not consistent and that leads to confusion when looking at the results in tabular form.
Examples:
I would suggest changing the policy titles to be affirmative or negative, and then make the test results clearly align to them throughout all your policy titles. This would greatly aid in clarity.
Example:
Also note, in my previous language there is a case to be made that "should" be changed to "must" if you want to conform with policy and standards language like RFC 2119 / 8174 / etc
Again, I love the idea of this tool and am really impressed with what you have done already. It's very useful. Just noticed this oddity and it made me a few other folks on my team go "huh?" so I thought I would share. Thanks again for a great tool, and I look forward to seeing where it goes. :)
No response
Yes, this is pedantic. I do think it's important, though. I'm happy to help with suggested edits, but didn't want to do so unless there was appetite for it.
Need to fix GitLab support for different use cases
Always list everything that is possible
Some use cases aren't covered
v0.0.23
Linux
No response
Need to cover the following matrix:
Need to make sure to list:
I used the GitHub action and it only reported issues for 50 repos.
I expected a report for all the 100+ repositories in the organization.
No response
0.2.0
Linux
No response
No response
If the provided token isn't authorized for an organization the entire command fails
should indicate that the specific organization is not processable and not fail the command
No response
v0.2.1
Linux
Using Github Cloud
Error: Token is not SAML authorized for organization: ORGANIZATION_NAME.
Please go to https://github.com/settings/tokens and authorize.
No response
I dont see a way to pass arguments to the legitify executable when we use the GitHub Action. Can that be enabled? e.g. --scorecard
No response
No response
Following #122, remove the last leftovers of app-level caching from the GitLab client.
Nothing should change (transport layer takes care of the caching).
Skipping policies due to missing permissions is incomplete, and its output is messy.
We need to implement a unified solution to handle these and output them in a meaningful way.
The link here does not work correctly:
Goes to https://legitify.dev/policies.html
.
Links should work 😉
Error
README
Other (please elaborate in the description)
GitHub UI
No response
modify the repository.rego file, commenting or removing some line to disable some rule.
Error at run time
see if we can deactivate some rules according to team policies
No response
0.2.7
Linux
Error: compiler: 11 errors occurred:
../gitlab/repository.rego:11: rego_type_error: multiple default rules data.repository.project_not_maintained found
../gitlab/repository.rego:150: rego_type_error: multiple default rules data.repository.no_conversation_resolution found
../gitlab/repository.rego:180: rego_type_error: multiple default rules data.repository.code_review_not_required found
../gitlab/repository.rego:102: rego_type_error: multiple default rules data.repository.repository_require_code_owner_reviews_policy found
../gitlab/repository.rego:195: rego_type_error: multiple default rules data.repository.code_review_by_two_members_not_required found
../gitlab/repository.rego:240: rego_type_error: multiple default rules data.repository.repository_allows_committer_approvals_policy found
../gitlab/repository.rego:254: rego_type_error: multiple default rules data.repository.repository_dismiss_stale_reviews found
../gitlab/repository.rego:50: rego_type_error: multiple default rules data.repository.forking_allowed_for_repository found
../gitlab/repository.rego:121: rego_type_error: multiple default rules data.repository.project_webhook_doesnt_require_ssl found
../gitlab/repository.rego:210: rego_type_error: multiple default rules data.repository.repository_allows_review_requester_to_approve_their_own_request found
rego_compile_error: error limit reached
No response
GitHub is now supporting org level branch policies. This means that we no longer need to define it at repo levels.
With org level branch policies, the actual branch policies will be a combination of the stricter policy at org and repo. Legitify should take both into consideration for the compliance run.
No response
As @carltonmason commented in #10, PATs generated for GHES instances might have a different pattern.
Remove the user-friendly checks (length & the ghp_ prefix) for GHES.
edit:
The issue is not with GHES but with old-style PATs (see comments for more info).
Instead of removing the check, we will just support the older pattern too.
accept the custom PAT
No response
v0.1.5
Linux
No response
No response
Add nightly that checks both the CLI and the container release, see that real data returns successfully.
A nightly scheduled github workflow that runs the CLI and the Container image with a real PAT (github secret), and assert the data returns as expected.
No response
Use staticcheck
The static check utility (and actions) catches many potential bugs and bad practices.
Enforce a higher standard by running them it in PR checks.
No response
As the remediation steps suggest, many policies can be fixed automatically.
Introduce a new command to apply these fixes.
- Support for receiving the output of the analyze command as input.
- Add a standalone remediate command.
- Support for an auto-remediation flag for the analyze command.
No response
GitHub recently announced that fine-grained PATs can now be used to call the GitHub GraphQL API.
As a result, it should be possible to use these with Legitify.
It may be a simple as removing the check in validateToken
to enable support for fine-grained PATs. I'll test this and get a better idea if that's the case.
No response
Add SARIF as an additional output format
No response
No response
When Legitify was run, after scanning some of the repositories, it waited for the rate limit for 60 seconds. But it returned the result without continuing to scan the remaining repositories
I was expecting all repository to be scanned.
No response
0.2.5
Mac OS
No response
No response
With the release of version 0.2.0, you officially added support for GitHub Actions to Legitify.
I've been experimenting with the examples at https://github.com/Legit-Labs/legitify/tree/main/action_examples and I think it would be beneficial for our use case to also have support for GitHub Actions Job Summaries.
Thanks for creating such a promising product!
Add yet another `--output-format` to the `legitify analyze`
Possible names `job-summary` or `markdown`
No response
We have 2 admin users in our GitHub organization but legitify alerts on that as if we have too many admins.
I would expect that 3 admins and above will be considered too many.
No response
0.2.6
Mac OS
No response
No response
A simple GHA crashes with panic: runtime error: invalid memory address or nil pointer dereference
.
The latter point is why I am not using v0.2.6
since it appears that is not supported there. I tried, I got no report.
The GHA stops with this error message:
Error: The process '/home/runner/work/_actions/Legit-Labs/legitify/main/legitify' failed with exit code 2 | stderr: panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x10[3](https://github.com/worldr/action-runner/actions/runs/5198695844/jobs/9375155007?pr=3#step:3:3)d61c]
main
Linux
Legit-Labs/legitify@main
with:
github_token: ***
scorecard: true
upload_code_scanning: true
analyze_self_only: false
legitify_base_version: 0.2
compile_legitify: false
Run actions/setup-node@v3
with:
node-version: 16
always-auth: false
check-latest: false
token: ***
Found in cache @ /opt/hostedtoolcache/node/16.20.0/x64
Environment details
Run cd "$GITHUB_ACTION_PATH"
downloading legitify binary from the following release URL: https://github.com/Legit-Labs/legitify/releases/download/v0.2.6/legitify_0.2.6_linux_amd64.tar.gz
execute legitify analyze: [
'analyze',
'--org',
'worldr',
'--output-format',
'json',
'--output-file',
'legitify-output.json'
]
execute legitify convert sarif: [
'convert',
'--input-file',
'legitify-output.json',
'--output-format',
'sarif',
'--output-file',
'legitify-output.sarif'
]
Error: The process '/home/runner/work/_actions/Legit-Labs/legitify/main/legitify' failed with exit code 2 | stderr: panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x103d61c]
goroutine 1 [running]:
github.com/Legit-Labs/legitify/internal/outputer/formatter.ValidateOutputFormat({0x7ffc97ca1f5b, 0x5}, {0x152d50a, 0x9})
/home/runner/work/legitify/legitify/internal/outputer/formatter/output_format.go:38 +0x5c
github.com/Legit-Labs/legitify/cmd.(*args).validateSchemeOutputOptions(0x211b460)
/home/runner/work/legitify/legitify/cmd/common_args.go:140 +0xc5
github.com/Legit-Labs/legitify/cmd.(*args).applySchemeOutputOptions(0x0?)
/home/runner/work/legitify/legitify/cmd/common_args.go:124 +0x1e
github.com/Legit-Labs/legitify/cmd.executeConvertCommand(0xc0004dc780?, {0x1526f55?, 0x6?, 0x6?})
/home/runner/work/legitify/legitify/cmd/convert.go:55 +0x75
github.com/spf13/cobra.(*Command).execute(0xc0004dc780, {0xc000089620, 0x6, 0x6})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0x2109160)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:990 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:918
github.com/Legit-Labs/legitify/cmd.Execute()
/home/runner/work/legitify/legitify/cmd/root.go:35 +0x198
main.main()
/home/runner/work/legitify/legitify/main.go:6 +0x17
Error: Error: The process '/home/runner/work/_actions/Legit-Labs/legitify/main/legitify' failed with exit code 2
Error: Process completed with exit code 1.
The GHA I am using:
--
name: "Run Legitify to check GH org settings."
on: # yamllint disable-line rule:truthy
push:
branches: ['main']
pull_request:
# The branches below must be a subset of the branches above
branches: ['main']
schedule:
# ┌───────────── minute (0 - 59)
# │ ┌───────────── hour (0 - 23)
# │ │ ┌───────────── day of the month (1 - 31)
# │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
# │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
# │ │ │ │ │
# │ │ │ │ │
# │ │ │ │ │
# * * * * *
- cron: '0 7 * * 1-5'
jobs:
legitify-analyze:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Legitify Action
uses: Legit-Labs/legitify@main
with:
github_token: ${{ secrets.LEGITIFY_PAT }}
scorecard: true
upload_code_scanning: true
running the cli through the docker release returns an error: "x509: certificate signed by unknown authority"
Expecting to get results or at least not have this error.
getting an error: "x509: certificate signed by unknown authority"
v10.1.5
Mac OS
“x509: certificate signed by unknown authority”
Reproduce via: docker run -e GITHUB_TOKEN= ghcr.io/legit-labs/legitify:0.1.5 list-orgs
Currently, when using the new SARIF action, Legitify crashes due to a nil pointer dereference. This crash occurs when calling the action as Legit-Labs/legitify@36a5bc20c2fc38b31f1288af9fced03fb254a7d3
.
Ideally, the conversion would run.
Legitify crashes 😢
Linux
legitify failed with:
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x103d61c]
goroutine 1 [running]:
github.com/Legit-Labs/legitify/internal/outputer/formatter.ValidateOutputFormat({0x7ffe3169bf37, 0x5}, {0x152d50a, 0x9})
/home/runner/work/legitify/legitify/internal/outputer/formatter/output_format.go:38 +0x5c
github.com/Legit-Labs/legitify/cmd.(*args).validateSchemeOutputOptions(0x211b460)
/home/runner/work/legitify/legitify/cmd/common_args.go:140 +0xc5
github.com/Legit-Labs/legitify/cmd.(*args).applySchemeOutputOptions(0x0?)
/home/runner/work/legitify/legitify/cmd/common_args.go:124 +0x1e
github.com/Legit-Labs/legitify/cmd.executeConvertCommand(0xc00032b180?, {0x1526f55?, 0x6?, 0x6?})
/home/runner/work/legitify/legitify/cmd/convert.go:55 +0x75
github.com/spf13/cobra.(*Command).execute(0xc00032b180, {0xc00007ad80, 0x6, 0x6})
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0x2109160)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:990 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:918
github.com/Legit-Labs/legitify/cmd.Execute()
/home/runner/work/legitify/legitify/cmd/root.go:35 +0x198
main.main()
/home/runner/work/legitify/legitify/main.go:6 +0x17
Here's an excerpt of the Actions workflow calling Legitify:
jobs:
audit_log:
runs-on: ubuntu-latest
name: Organization Security Audit
steps:
- name: Legitify
uses: Legit-Labs/legitify@36a5bc20c2fc38b31f1288af9fced03fb254a7d3
with:
github_token: ${{ secrets.AUDIT_GITHUB_TOKEN }}
upload_code_scanning: true
Add a policy that alerts if the GitHub Actions default permission is not read-only.
Applies for repository & organization
No response
No response
test
test
test
1
Mac OS
No response
No response
Support listing & scanning of specific repo inside the organization account.
No response
No response
Would you consider adding support for installation by Homebrew?
goreleaser has built in support for creating taps
No response
No response
'./legitify version' is returning 'na' instead of actual version
expected 'version' command to return the actual cli version
returned 'na'
v0.1.3
Mac OS
No response
No response
I received a panic when running on an Org.
LEGITIFY_TOKEN=XXXXXX ./legitify analyze --org ORG
panic: interface conversion: interface {} is *github.ListMembersOptions, not *github.ListOptions
goroutine 133 [running]:
github.com/Legit-Labs/legitify/internal/clients/github/pagination.(*ghOptioner).Advance(0xc0005b6000?, {0x2025e00?, 0xc0002a8160?}, {0x1db9ae0?, 0xc00050c040?})
/home/runner/work/legitify/legitify/internal/clients/github/pagination/pagination.go:19 +0x65
github.com/Legit-Labs/legitify/internal/clients/pagination.(*MappedPager[...]).Async.func1()
/home/runner/work/legitify/legitify/internal/clients/pagination/mapper.go:51 +0xb1
created by github.com/Legit-Labs/legitify/internal/clients/pagination.(*MappedPager[...]).Async
/home/runner/work/legitify/legitify/internal/clients/pagination/mapper.go:41 +0xee
Dunno, first time I used this
No response
legitify version 0.2.3 commit 66094d7
Mac OS
~/legitify_0.2.3_darwin_amd64.tar ❯❯❯ cat error.log
2023/03/06 14:21:41 2023/03/06 14:21:41 Error collecting runner groups for ORG - GET https://api.github.com/orgs/ORG/actions/runner-groups: 404 Not Found []
2023/03/06 14:21:41 2023/03/06 14:21:41 Error collecting runner groups for ORG - GET https://api.github.com/orgs/ORG/actions/runner-groups: 404 Not Found []
2023/03/06 14:21:41 2023/03/06 14:21:41 Error collecting runner groups for ORG - GET https://api.github.com/orgs/ORG/actions/runner-groups: 404 Not Found []
2023/03/06 14:21:41 2023/03/06 14:21:41 BUG: closing bar actions although it is not completed. please report this issue to legitify repository.
No response
When legitify analyze
'ing across large number of repos (in my organization, there are ~290), rate limit errors are encountered, and there is no way to slow the rate and mitigate the errors (other than reducing the number of repos in scope for analyze
)
Exponential backoff by default and/or allow the caller to specify a value for wait between requests
Errors like this:
2023/01/12 11:09:25 2023/01/12 11:09:25 error getting branch protection info for the_repo: GET https://api.github.com/repos/TheOrg/the_repo/branches/master/protection: 403 You have exceeded a secondary rate limit. Please wait a few minutes before you try again.
which results in incomplete results in output.
legitify version 0.2.1 commit a5a45e1
Linux
2023/01/12 11:09:25 2023/01/12 11:09:25 error getting branch protection info for the_repo: GET https://api.github.com/repos/TheOrg/the_repo/branches/master/protection: 403 You have exceeded a secondary rate limit. Please wait a few minutes before you try again.
### Additional information
_No response_
See example on https://goreleaser.com/customization/homebrew/ (halfway on this page).
A more detailed example is given within section beneath "Detailed design".
# typed: false
# frozen_string_literal: true
# This file was generated by GoReleaser. DO NOT EDIT.
class Legitify < Formula
desc "Legitify - open source scm scanning tool by Legit Security"
homepage "https://github.com/Legit-Labs/legitify"
version "v0.2.5"
on_macos do
if Hardware::CPU.intel?
url "https://github.com/Legit-Labs/legitify/releases/download/v0.2.5/legitify_0.2.5_darwin_amd64.tar.gz"
sha256 "`sha-code`"
end
if Hardware::CPU.arm? && !Hardware::CPU.is_64_bit?
url "https://github.com/Legit-Labs/legitify/releases/download/v0.2.5/legitify_0.2.5_darwin_arm64.tar.gz"
sha256 "`sha-code`"
end
end
on_linux do
if Hardware::CPU.intel?
url "https://github.com/Legit-Labs/legitify/releases/download/v0.2.5/legitify_0.2.5_linux_amd64.tar.gz"
sha256 "f99114ec8500ad3d27410fa54c0e1d5b8d8eb9c7a57f76223254ee98916af22f"
end
if Hardware::CPU.arm? && !Hardware::CPU.is_64_bit?
url "https://github.com/Legit-Labs/legitify/releases/download/v0.2.5/legitify_0.2.5_linux_arm64.tar.gz"
sha256 "`sha-code`"
end
end
def install
bin.install "legitify"
end
end
I've tested it successfully on Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64) with the above file altered.
Currently, policies are not violated by default, and we mark them as violated only if certain conditions are met. This makes our policies more complex and prone to errors.
For example:
default missing_default_branch_protection_force_push = false
missing_default_branch_protection_force_push {
missing_default_branch_protection
}
missing_default_branch_protection_force_push {
....
count(rules_allow_force_push) > 0
}
The missing_default_branch_protection_force_push
policy needs to be defined as a partial policy that first checks if branch protection exists and then the specific condition.
Instead of the above, define the policy like this:
default missing_default_branch_protection_force_push = true
missing_default_branch_protection_force_push = false {
....
count(rules_allow_force_push) == 0
}
This way, the policy needs to check only for the good case and not for all of the bad options.
When you make clean
it only cleans the built binary. It does not clean the autogenerated docs directories.
Further, the generated docs are not in the .gitignore
file.
This is a bad combo. Ask my how I know... 🤣
Make clean should clean anything that is generated by other make commands.
The .gitignore should include the transient items that are generated via other make commands, like generated docs.
No response
latest
Mac OS
No response
No response
The documentation and flag names only document github
use general terms
only GitHub is mentioned
v0.0.23
Linux
No response
___ _______ _______ ___ _______ ___ _______ __ __
| | | || || | | || | | || | | |
| | | ___|| ___|| | |_ _|| | | ___|| |_| |
| | | |___ | | __ | | | | | | | |___ | |
| |___ | ___|| || || | | | | | | ___||_ _|
| || |___ | |_| || | | | | | | | | |
|_______||_______||_______||___| |___| |___| |___| |___|
By Legit Security
Analyze GitHub organizations associated with a PAT to find security issues
Usage:
legitify analyze [flags]
Flags:
--color string when to use coloring [auto/always/none] (default "auto")
-e, --error-file string error log path (default "error.log")
--failed-only Only show violated policies (do not show succeeded/skipped)
-t, --github-token string token to authenticate with github (required unless environment variable LEGITIFY_AUTH_TOKEN is set)
-h, --help help for analyze
-n, --namespace strings which namespace to run (default [organization,repository,member,actions,runner_group])
--org strings specific organizations to collect
-o, --output-file string output file, defaults to stdout
-f, --output-format string output format [human/json/markdown] (default "human")
--output-scheme string output scheme [flattened/group-by-namespace/group-by-resource/group-by-severity] (default "flattened")
-p, --policies-path strings directory containing opa policies
--repo strings specific repositories to collect (--repo owner/repo_name (e.g. ossf/scorecard)
--scm string server type (GitHub, GitLab), defaults to GitHub (default "github")
--scorecard string Whether to run additional scorecard checks [no/yes/verbose] (default "no")
--server-url string github/gitlab endpoint to use instead of the Cloud API (can be set via the environment variable SERVER_URL)```
issues:
`Analyze GitHub organizations associated with a PAT to find security issues` --> GitHub/GitLab organizations
`--github-token` --> `--token`
`token to authenticate with github (required unless environment variable LEGITIFY_AUTH_TOKEN is set)` --> `with github/gitlab`
Randomly getting “Error: token doesn’t have access to any organization" - re-attempt of using the same token a few seconds later works just fine.
Either get results, or the actual error that happened.
The error returned is masked as “Error: token doesn’t have access to any organization" but the actual error returned from github is likely different.
v0.1.5
Mac OS
No response
Suspecting that this “Error: token doesn’t have access to any organization" error returns when a rate limit error is returned from github.
RE: ID Numbers When referencing, it is much easier to reference a number, like GH-1
, than a name. It also allows the policy name to change without breaking other references (see CIS benchmark example in previous comment). Like database primary/foreign keys; you want to reference the key so names and other things can change easily. When looking at most standards out there, like NIST, CIS, CSA, etc, they all reference each-other by specific numbers and not titles. See this link for one example of such a mapping. I would suggest doing the same here for both consistency and ease of reference.
Originally posted by @derekmurawsky in #139 (comment)
The rule non_admins_can_create_public_repositories
only checks if members can outright create a public repository. By default they can howether achieve the same thing by creating a private repository and changing the visibility of to public, as that is not restricted by that permission. Even worse, they can change the visibility of any repository that they are an admin of.
Thus, only prohibiting all visibility changes via the option Repository visibility change
actually stops creation of public repositories. The current rule gives a very wrong impression of security while not giving the whole picture.
Legitify should check that the member privileges have two settings:
Repository Creation
only allows private, internal, or noneRepository visibility change
is not allowsIt only checks for one setting
Repository Creation
only allows private, internal, or nonev0.2.5
Linux
No response
See the GitHub Documentation page on Restricting repository creation in your organization
specifically pointing this out.
Warning: This setting only restricts the visibility options available when repositories are created and does not restrict the ability to change repository visibility at a later time. For more information about restricting changes to existing repositories' visibilities, see "Restricting repository visibility changes in your organization."
Support scanning GHES for misconfigurations
No response
No response
Generate SLSA provenance documents for Legitify releases.
Preferably, implement it by using https://github.com/slsa-framework/slsa-github-generator.
Ideally, use the go-builder provided by this package to provide a highly-trusted builder.
No response
Using the same Gitlab token, in different versions of legitify, skip rule revisions
version 0.2.6: does not perform the skip
version 0.2.8: perform the skip
0.2.8
Mac OS
No response
The command that was executed is ./legitify analyze --scm gitlab --namespace repository --org <name org>
When using Github or Gitlab server, many organizations have internal certificate issues that may prevent Legitify from protecting them.
add flag to ingore invalid certificate
No response
Running Legitify against our GitHub organisation with 800 repositories fails with an error message saying "panic: send on closed channel" and a stack trace (pasted below).
The bottom progress bar shows "secondary rate limit" and a counter going up to 60 seconds beforehand.
I would expect to see some output from Legitify showing the analysis of our GitHub organisation
The error output shown below
0.2.5
Mac OS
panic: send on closed channel
goroutine 817 [running]:
github.com/Legit-Labs/legitify/internal/collectors.(*BaseCollector).CollectDataWithContext(...)
/home/runner/work/legitify/legitify/internal/collectors/collector_utils.go:58
github.com/Legit-Labs/legitify/internal/collectors/github.(*repositoryCollector).collectRepository(0xc0005487d0, 0x2f6d6f632e627568?, {0xc000332360, 0xc}, 0xc000314200)
/home/runner/work/legitify/legitify/internal/collectors/github/repository_collector.go:233 +0x413
github.com/Legit-Labs/legitify/internal/collectors/github.(*repositoryCollector).collectRepositories.func1.1()
/home/runner/work/legitify/legitify/internal/collectors/github/repository_collector.go:210 +0x271
github.com/Legit-Labs/legitify/internal/common/group_waiter.(*GroupWaiter).Do.func1()
/home/runner/work/legitify/legitify/internal/common/group_waiter/group_waiter.go:25 +0x5b
created by github.com/Legit-Labs/legitify/internal/common/group_waiter.(*GroupWaiter).Do
/home/runner/work/legitify/legitify/internal/common/group_waiter/group_waiter.go:23 +0x8a
No response
First of all thanks for building this tool.
I think that many organizations are using GitLab Free which comes without push_rules API endpoint or MR approval rules.
So, Are there plans to support GitLab Free? Or in other words, to ignore or disable non existing features like push rules?
Actually it fails with 404 errors during repository / gitlab project analysis and stops:
2023/06/15 14:22:13 2023/06/15 14:22:13 failed to query group hooks: 194 - legitify
2023/06/15 14:22:14 2023/06/15 14:22:14 failed to get project push rule GET [MASKED]api/v4/projects/145/push_rule: 404 {error: 404 Not Found}
2023/06/15 14:22:14 2023/06/15 14:22:14 project 'legitify-demo' collection failed with error: GET [MASKED]api/v4/projects/145/push_rule: 404 {error: 404 Not Found}
2023/06/15 14:22:14 2023/06/15 14:22:14 failed to get project push rule GET [MASKED]api/v4/projects/146/push_rule: 404 {error: 404 Not Found}
2023/06/15 14:22:14 2023/06/15 14:22:14 project 'unprotected-main-branch' collection failed with error: GET [MASKED]api/v4/projects/146/push_rule: 404 {error: 404 Not Found}
No response
No response
Prepare a GitHub action for easy integration of legitify as a periodic scanner to keep organizations/repositories secure.
This could be implemented as:
1. Workflow template
2. Preferably - An action that wraps legitify and runs it with the relevant parameters.
No response
Running analyze --org some_org
shows all results as skipped, except for one policy "Non-Admins Can Create Public Repositories" which shows as failed, even though I'm not an owner on some_org.
In the results, show "Non-Admins Can Create Public Repositories" as skipped
In the results, "Non-Admins Can Create Public Repositories" appears as failed
0.1
Mac OS
No response
No response
Update Go to 1.19 everywhere.
Now that go linter supports 1.19 (https://github.com/golangci/golangci-lint/pull/3037),
There's nothing blocking us.
No response
No response
Install Tool in MAC
No response
latest
Mac OS
Error: legitify: Failed to download resource "legitify"
Failure while executing; `/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.28\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4.1\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head --request GET https://legitify.legitsecurity.com/0.2.6/darwin/amd64` exited with 22. Here's the output:
curl: (22) The requested URL returned error: 404
HTTP/2 302
date: Wed, 12 Jul 2023 20:46:52 GMT
location: https://github.com/Legit-Labs/legitify/releases/download/v0.2.6/legitify_0.2.6_darwin_amd64
strict-transport-security: max-age=15724800; includeSubDomains
HTTP/2 404
server: GitHub.com
date: Wed, 12 Jul 2023 20:46:07 GMT
content-type: text/plain; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
cache-control: no-cache
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; connect-src 'self'; form-action 'self'; img-src 'self' data:; script-src 'self'; style-src 'unsafe-inline'
content-length: 9
x-github-request-id: EBF7:500C:62D7E8:6A0A1E:64AF113C
No response
The README refers to GitHub's new fine-grained personal access tokens but if you use one you get an error:
Error: GitHub token seems invalid (should have 40 characters)
Accept fine grained access token
No response
0.1.5
Linux
No response
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.