Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Checkmarx/chainjacking

Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks
https://github.com/Checkmarx/chainjacking

go golang security supply-chain

Last synced: 3 months ago
JSON representation

Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks

Host: GitHub
URL: https://github.com/Checkmarx/chainjacking
Owner: Checkmarx
License: apache-2.0
Created: 2021-11-16T09:22:09.000Z (almost 3 years ago)
Default Branch: master
Last Pushed: 2022-05-29T07:05:00.000Z (over 2 years ago)
Last Synced: 2024-07-05T16:17:56.799Z (4 months ago)
Topics: go, golang, security, supply-chain
Language: Python
Homepage: https://pypi.org/project/chainjacking/
Size: 16.6 KB
Stars: 55
Watchers: 7
Forks: 14
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

awesome-software-supply-chain-security - Checkmarx/chainjacking: Find which of your go lang direct GitHub dependencies is susceptible to ChainJacking attack
awesome-golang-security - ChainJacking - Find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack. (Static Code Analysis)
awesome-go-extra - chainjacking - 11-16T09:22:09Z|2022-05-29T07:05:00Z| (Code Analysis / Routers)

README

![readme cover image](https://user-images.githubusercontent.com/1287098/142020269-af916c4d-7c66-4893-a030-daa4113e00f4.png)

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it [here](https://checkmarx.com/blog/a-new-type-of-supply-chain-attack-could-put-popular-admin-tools-at-risk/)

[![repojacking explained](https://img.youtube.com/vi/xrafnrkKfEg/0.jpg)](https://www.youtube.com/watch?v=xrafnrkKfEg)

#### Requirements
- Python 3.6+ and pip
- Go and it's binaries >= 1.13
- GitHub token (for API queries)
- 💡 This token is used for read only purposes and does not require any permissions

#### Installation
```
pip install chainjacking
```

## Using in CI Workflows
ChainJacking can be easily integrated into modern CI workflows to test new code contributions.

### GitHub Actions

https://user-images.githubusercontent.com/1287098/142009618-5eb5d87c-a001-4536-abf3-c5d06216e1b6.mp4

Example configuration:
```yaml
name: Pull Request

on:
pull_request

jobs:

build:
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- uses: actions/setup-python@v2
with:
python-version: '3.9'

- name: ChainJacking tool test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python -m pip install -q chainjacking
python -m chainjacking -gt $GITHUB_TOKEN
```

## CLI
ChainJacking module can be run as a CLI tool simply as
```
python -m chainjacking
```

### CLI Arguments
- `-gt ` - GitHub access token, to run queries on GitHub API (required)
- `-p ` - Path to scan. (default=current directory)
- `-v` - Verbose output mode
- `-url ` - Scan one or more GitHub URLs
- `-f ` - Scan one or more GitHub URLs from a file separated by new-line

#### Example: Scan a Go project
navigate your shell into a Go project's directory, and run:
```
python -m chainjacking -gt $GH_TOKEN
```

https://user-images.githubusercontent.com/1287098/142020377-c873716d-c080-418b-8597-f9e08dba3e82.mp4