Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Checkmarx/chainjacking
Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks
https://github.com/Checkmarx/chainjacking
go golang security supply-chain
Last synced: 28 days ago
JSON representation
Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks
- Host: GitHub
- URL: https://github.com/Checkmarx/chainjacking
- Owner: Checkmarx
- License: apache-2.0
- Created: 2021-11-16T09:22:09.000Z (about 3 years ago)
- Default Branch: master
- Last Pushed: 2022-05-29T07:05:00.000Z (over 2 years ago)
- Last Synced: 2024-10-14T03:06:16.577Z (about 2 months ago)
- Topics: go, golang, security, supply-chain
- Language: Python
- Homepage: https://pypi.org/project/chainjacking/
- Size: 16.6 KB
- Stars: 56
- Watchers: 7
- Forks: 15
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
- awesome-software-supply-chain-security - Checkmarx/chainjacking: Find which of your go lang direct GitHub dependencies is susceptible to ChainJacking attack
- awesome-golang-security - ChainJacking - Find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack. (Static Code Analysis)
- awesome-go-extra - chainjacking - 11-16T09:22:09Z|2022-05-29T07:05:00Z| (Code Analysis / Routers)
README
![readme cover image](https://user-images.githubusercontent.com/1287098/142020269-af916c4d-7c66-4893-a030-daa4113e00f4.png)
ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it [here](https://checkmarx.com/blog/a-new-type-of-supply-chain-attack-could-put-popular-admin-tools-at-risk/)
[![repojacking explained](https://img.youtube.com/vi/xrafnrkKfEg/0.jpg)](https://www.youtube.com/watch?v=xrafnrkKfEg)
#### Requirements
- Python 3.6+ and pip
- Go and it's binaries >= 1.13
- GitHub token (for API queries)
- 💡 This token is used for read only purposes and does not require any permissions#### Installation
```
pip install chainjacking
```## Using in CI Workflows
ChainJacking can be easily integrated into modern CI workflows to test new code contributions.### GitHub Actions
https://user-images.githubusercontent.com/1287098/142009618-5eb5d87c-a001-4536-abf3-c5d06216e1b6.mp4
Example configuration:
```yaml
name: Pull Requeston:
pull_requestjobs:
build:
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- uses: actions/setup-python@v2
with:
python-version: '3.9'- name: ChainJacking tool test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python -m pip install -q chainjacking
python -m chainjacking -gt $GITHUB_TOKEN
```## CLI
ChainJacking module can be run as a CLI tool simply as
```
python -m chainjacking
```### CLI Arguments
- `-gt ` - GitHub access token, to run queries on GitHub API (required)
- `-p ` - Path to scan. (default=current directory)
- `-v` - Verbose output mode
- `-url ` - Scan one or more GitHub URLs
- `-f ` - Scan one or more GitHub URLs from a file separated by new-line#### Example: Scan a Go project
navigate your shell into a Go project's directory, and run:
```
python -m chainjacking -gt $GH_TOKEN
```https://user-images.githubusercontent.com/1287098/142020377-c873716d-c080-418b-8597-f9e08dba3e82.mp4