{"id":13717658,"url":"https://github.com/Checkmarx/chainjacking","last_synced_at":"2025-05-07T07:31:51.478Z","repository":{"id":41219344,"uuid":"428590781","full_name":"Checkmarx/chainjacking","owner":"Checkmarx","description":"Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks","archived":false,"fork":false,"pushed_at":"2022-05-29T07:05:00.000Z","size":17,"stargazers_count":56,"open_issues_count":0,"forks_count":15,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-10-14T03:06:16.577Z","etag":null,"topics":["go","golang","security","supply-chain"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/chainjacking/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Checkmarx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-11-16T09:22:09.000Z","updated_at":"2024-10-09T00:52:41.000Z","dependencies_parsed_at":"2022-07-21T21:47:28.903Z","dependency_job_id":null,"html_url":"https://github.com/Checkmarx/chainjacking","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainjacking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainjacking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainjacking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Checkmarx%2Fchainjacking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Checkmarx","download_url":"https://codeload.github.com/Checkmarx/chainjacking/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224573507,"owners_count":17333804,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","security","supply-chain"],"created_at":"2024-08-03T00:01:25.350Z","updated_at":"2024-11-14T05:32:19.137Z","avatar_url":"https://github.com/Checkmarx.png","language":"Python","funding_links":[],"categories":["Code Analysis","Point-of-use validations","Static Code Analysis","代码分析","Libraries for creating HTTP middlewares"],"sub_categories":["Routers","Vulnerability information exchange","路由器"],"readme":"![readme cover image](https://user-images.githubusercontent.com/1287098/142020269-af916c4d-7c66-4893-a030-daa4113e00f4.png)\n\nChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it [here](https://checkmarx.com/blog/a-new-type-of-supply-chain-attack-could-put-popular-admin-tools-at-risk/)\n\n[![repojacking explained](https://img.youtube.com/vi/xrafnrkKfEg/0.jpg)](https://www.youtube.com/watch?v=xrafnrkKfEg)\n\n\n#### Requirements\n- Python 3.6+ and pip\n- Go and it's binaries \u003e= 1.13\n- GitHub token (for API queries) \n  - 💡 This token is used for read only purposes and does not require any permissions \n\n#### Installation\n```\npip install chainjacking\n```\n\n## Using in CI Workflows\nChainJacking can be easily integrated into modern CI workflows to test new code contributions.  \n\n\n### GitHub Actions\n\nhttps://user-images.githubusercontent.com/1287098/142009618-5eb5d87c-a001-4536-abf3-c5d06216e1b6.mp4\n\nExample configuration:\n```yaml\nname: Pull Request\n\non:\n  pull_request\n\njobs:\n\n  build:\n    name: Run Tests\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout code\n        uses: actions/checkout@v2\n      - uses: actions/setup-python@v2\n        with:\n          python-version: '3.9'\n\n      - name: ChainJacking tool test\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n        run: |\n          python -m pip install -q chainjacking\n          python -m chainjacking -gt $GITHUB_TOKEN\n```\n\n\n## CLI\nChainJacking module can be run as a CLI tool simply as \n```\npython -m chainjacking\n```\n\n### CLI Arguments\n- `-gt \u003ctoken\u003e` - GitHub access token, to run queries on GitHub API (required)\n- `-p \u003cpath\u003e` - Path to scan. (default=current directory)\n- `-v` - Verbose output mode\n- `-url \u003curl\u003e` - Scan one or more GitHub URLs\n- `-f \u003cpath\u003e` - Scan one or more GitHub URLs from a file separated by new-line\n\n\n#### Example: Scan a Go project\nnavigate your shell into a Go project's directory, and run:\n```\npython -m chainjacking -gt $GH_TOKEN\n```\n\nhttps://user-images.githubusercontent.com/1287098/142020377-c873716d-c080-418b-8597-f9e08dba3e82.mp4\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCheckmarx%2Fchainjacking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCheckmarx%2Fchainjacking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCheckmarx%2Fchainjacking/lists"}