{"id":26633492,"url":"https://github.com/chains-project/goleash","last_synced_at":"2025-03-24T15:15:08.219Z","repository":{"id":253418960,"uuid":"843333244","full_name":"chains-project/goleash","owner":"chains-project","description":"Runtime enforcement of software supply chain capabilities in Go","archived":false,"fork":false,"pushed_at":"2025-03-06T16:39:54.000Z","size":9279,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-03-06T17:39:16.337Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chains-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-16T09:32:42.000Z","updated_at":"2025-03-06T16:39:57.000Z","dependencies_parsed_at":"2025-01-13T23:24:41.485Z","dependency_job_id":"fb29e811-527d-435b-ac57-fd604380e173","html_url":"https://github.com/chains-project/goleash","commit_stats":null,"previous_names":["chains-project/goleash"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fgoleash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fgoleash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fgoleash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chains-project%2Fgoleash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chains-project","download_url":"https://codeload.github.com/chains-project/goleash/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245294720,"owners_count":20591909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-03-24T15:15:07.657Z","updated_at":"2025-03-24T15:15:08.209Z","avatar_url":"https://github.com/chains-project.png","language":"C","funding_links":[],"categories":["Point-of-use validations"],"sub_categories":["Vulnerability information exchange"],"readme":"# GoLeash \u003cimg src=\"logo.jpg\" width=\"45\" height=\"30\" alt=\"Logo\" style=\"vertical-align: middle;\"\u003e \nRuntime enforcement of software supply chain capabilities in Go\n\n# Runnable example\nRun a Go program invoking some denied capability, with goleash runtime enforcement attached. \n\n```bash\ncd examples/example_unrestrict\n```\n\nFirst, generate the hashes for allowed invocations of capabilities, for the *trusted* initial version of the program. \n\n```bash\nmake all-hash\n```\n\nExecute the trusted version of the program.\n```bash\nmake all\n```\n\nThen, add a new denied capability invocation to the program. \n```bash\nsed -i '27,31s/^[[:space:]]*\\/\\/[[:space:]]*TestReadFile()/TestReadFile()/' dependencyC/dep.go\n```\n\nExecute the compromised version of the program, with the same previously generated hashes.\n```bash\nmake all\n```\n\n\n# Syscall tracing\nThis tool allows you to track syscalls for a specified binary using eBPF.\n\n## Prerequisites\n-\n\n## Building the Tracer\n\n1. Navigate to the `track_syscalls` folder and build the tracer\n```bash\ncd track_syscalls\nmake\n```\n\n## Testing with CoreDNS\n\nTo demonstrate the syscall tracking capabilities, we'll use CoreDNS as an example.\n\n### Compiling CoreDNS\n\n1. Navigate to the CoreDNS folder and compile CoreDNS using the provided script:\n```bash\n./build.sh\n```\nThis will generate the coreDNS binary to run later.\n\n### Generate an allowlist for the CoreDNS Syscalls\n\n2. Navigate back to the `track_syscalls` folder and run the syscall tracker (with root privileges), pointing it to the CoreDNS binary:\n```bash\nsudo ./bpf_loader -binary /binary_path -mod-manifest /go.mod -mode build\n```\n\nReplace `/binary_path` and `/go.mod` with the actual path to the binary and go manifest of the application you want to monitor.\n\n\n### Start CoreDNS and send a test request\n3.  In a new terminal window run coreDNS\n```bash\n./coredns/run.sh\n```\n\nCoreDNS will start with a default configuration.\n\n4. To trigger some operations to track, you can send a request to coreDNS\n\n```bash\n./make_request.sh\n```\n\nThis script will send a DNS query to the running CoreDNS instance.\n\n4. Observe the syscall tracking output in the terminal where you ran `bpf_loader`.\n\nYou should now see the syscalls triggered by CoreDNS in response to the DNS query. Closing the tracker with CTRL+C, the allowlist will be saved. \n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fgoleash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchains-project%2Fgoleash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchains-project%2Fgoleash/lists"}