Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Checkmarx/chainalert-github-action
scans popular packages and alerts in cases there is suspicion of an account takeover
https://github.com/Checkmarx/chainalert-github-action
free-service github-action supply-chain-security
Last synced: 28 days ago
JSON representation
scans popular packages and alerts in cases there is suspicion of an account takeover
- Host: GitHub
- URL: https://github.com/Checkmarx/chainalert-github-action
- Owner: Checkmarx
- License: apache-2.0
- Created: 2021-11-29T22:46:56.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2022-02-20T07:20:09.000Z (almost 3 years ago)
- Last Synced: 2024-11-11T10:25:34.415Z (about 1 month ago)
- Topics: free-service, github-action, supply-chain-security
- Language: JavaScript
- Homepage: https://github.com/marketplace/actions/chainalert
- Size: 15.6 KB
- Stars: 41
- Watchers: 8
- Forks: 15
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-software-supply-chain-security - Checkmarx/chainalert-github-action: scans popular packages and alerts in cases there is suspicion of an account takeover
README
### ChainAlert
A free service by [Checkmarx](https://checkmarx.com/) for the Open Source community that scans popular packages and alerts in cases there is a suspicion those packages' accounts were hacked.
Add ChainAlert's GitHub action to your repository to be notified in case of a suspected takeover of one of your dependencies. Giving you the chance to rapidly respond and protect yourself and your users.
For further reading about ChainAlert check out our [blog](https://medium.com/checkmarx-security/chainalert-our-response-to-npm-account-takeover-attacks-aa1d10a4fdbe).
### The Need
Recent package takeover incidents such as [coa](https://checkmarx.com/blog/attackers-write-bugs-as-well/) and [ua-parser-js](https://checkmarx.com/blog/uaparser-js-attack-preparations/) have stressed the need for an alarm system to alert developers and users.
Learning the lessons of these supply chain incidents we've created **ChainAlert**, a monitoring service that will help minimize the damages from those attacks by closing the gap between takeover to detection and mitigation.
### What It Does?
ChainAlert cloud service continuously monitor and analyse new releases of packages:
- Detection of newly added auto install scripts such as `install`, `preinstall`, `postinstall`
- Checking the consistency of the version and if presented in the package's linked git repository tags
- Changes in package maintainers
If ChainAlert finds a suspicious activity of a package, it will automatically open GitHub issues on:
- The package's linked GitHub repo, to notify the maintainers of that activity
- Any package dependents' GitHub repo who's opted-in via [this GitHub action](https://github.com/marketplace/actions/chainalert)
### How Do I Opt In?
You need to add our [GitHub action](https://github.com/marketplace/actions/chainalert) to your project as a cron job.
Create a dedicated workflow file under `.github/workflows/chainalert.yml`
```yml
name: ChainAlert
on:
schedule:
- cron: '0 0 * * *'
push:
branches: [ master ]
jobs:
chainalert:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: checkmarx/chainalert-github-action@v1
```
- 💡 This action and service are only available for public GitHub projects
- 💡 If our service stops receiving for more than 2 days, we will automatically opt you out
### Features
- NPM packages support
#### WIP
- PyPi packages support
- Private repos support
- Automatic pull-requests
### Contact
For any further question please feel free to open an issue or contact us at [email protected]