{"id":13717205,"url":"https://github.com/Checkmarx/chainalert-github-action","last_synced_at":"2025-05-07T07:30:29.207Z","repository":{"id":43747139,"uuid":"433220217","full_name":"Checkmarx/chainalert-github-action","owner":"Checkmarx","description":"scans popular packages and alerts in cases there is suspicion of an account takeover","archived":false,"fork":false,"pushed_at":"2022-02-20T07:20:09.000Z","size":16,"stargazers_count":41,"open_issues_count":2,"forks_count":15,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-20T07:19:12.072Z","etag":null,"topics":["free-service","github-action","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/chainalert","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Checkmarx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-29T22:46:56.000Z","updated_at":"2024-10-17T08:18:26.000Z","dependencies_parsed_at":"2023-01-11T17:22:27.615Z","dependency_job_id":null,"html_url":"https://github.com/Checkmarx/chainalert-github-action","commit_stats":{"total_commits":10,"total_committers":4,"mean_commits":2.5,"dds":0.4,"last_synced_commit":"84a28df70741c9d82f87336bbe4b565fe0e57aba"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainalert-github-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainalert-github-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainalert-github-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainalert-github-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Checkmarx","download_url":"https://codeload.github.com/Checkmarx/chainalert-github-action/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252833379,"owners_count":21811173,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["free-service","github-action","supply-chain-security"],"created_at":"2024-08-03T00:01:19.269Z","updated_at":"2025-05-07T07:30:28.882Z","avatar_url":"https://github.com/Checkmarx.png","language":"JavaScript","funding_links":[],"categories":["Dependency intelligence"],"sub_categories":[],"readme":"![cover](https://user-images.githubusercontent.com/1287098/144083262-2f90a537-eaa4-4be4-b451-e66661a113a6.png)\n\n### ChainAlert\nA free service by [Checkmarx](https://checkmarx.com/) for the Open Source community that scans popular packages and alerts in cases there is a suspicion those packages' accounts were hacked.\n\nAdd ChainAlert's GitHub action to your repository to be notified in case of a suspected takeover of one of your dependencies. Giving you the chance to rapidly respond and protect yourself and your users.\n\nFor further reading about ChainAlert check out our [blog](https://medium.com/checkmarx-security/chainalert-our-response-to-npm-account-takeover-attacks-aa1d10a4fdbe).\n### The Need\n\nRecent package takeover incidents such as [coa](https://checkmarx.com/blog/attackers-write-bugs-as-well/) and [ua-parser-js](https://checkmarx.com/blog/uaparser-js-attack-preparations/) have stressed the need for an alarm system to alert developers and users.\n\nLearning the lessons of these supply chain incidents we've created **ChainAlert**, a monitoring service that will help minimize the damages from those attacks by closing the gap between takeover to detection and mitigation.\n\n\n### What It Does?\n\nChainAlert cloud service continuously monitor and analyse new releases of packages:\n- Detection of newly added auto install scripts such as `install`, `preinstall`, `postinstall` \n- Checking the consistency of the version and if presented in the package's linked git repository tags\n- Changes in package maintainers \n\n![Group 468](https://user-images.githubusercontent.com/1287098/144894054-1ca132cf-e3f2-448a-bfdb-d04b00cbd02c.png)\n\n\nIf ChainAlert finds a suspicious activity of a package, it will automatically open GitHub issues on:\n- The package's linked GitHub repo, to notify the maintainers of that activity\n- Any package dependents' GitHub repo who's opted-in via [this GitHub action](https://github.com/marketplace/actions/chainalert)\n\n![111](https://user-images.githubusercontent.com/1287098/144894036-8b414468-8a93-464f-bbf9-6961043c91b8.png)\n![Frame 240](https://user-images.githubusercontent.com/1287098/144136718-200904ca-c01f-4bd8-825a-add9762e40dc.png)\n\n\n### How Do I Opt In?\n\nYou need to add our [GitHub action](https://github.com/marketplace/actions/chainalert) to your project as a cron job.\n\nCreate a dedicated workflow file under `.github/workflows/chainalert.yml`\n\n```yml\nname: ChainAlert\non:\n  schedule:\n    - cron:  '0 0 * * *'\n  push:\n    branches: [ master ]\njobs:\n  chainalert:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v2\n      - uses: checkmarx/chainalert-github-action@v1\n```\n- 💡 This action and service are only available for public GitHub projects\n- 💡 If our service stops receiving for more than 2 days, we will automatically opt you out\n\n\n### Features\n- NPM packages support\n\n#### WIP \n- PyPi packages support\n- Private repos support\n- Automatic pull-requests\n\n\n### Contact\nFor any further question please feel free to open an issue or contact us at supplychainsecurity@checkmarx.com \n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCheckmarx%2Fchainalert-github-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCheckmarx%2Fchainalert-github-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCheckmarx%2Fchainalert-github-action/lists"}