GitHub - Checkmarx/chainjacking: Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks (original) (raw)

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it here

Requirements

• Python 3.6+ and pip
• Go and it's binaries >= 1.13
• GitHub token (for API queries)
  • 💡 This token is used for read only purposes and does not require any permissions

Installation

Using in CI Workflows

ChainJacking can be easily integrated into modern CI workflows to test new code contributions.

GitHub Actions

ci-example.mp4

Example configuration:

name: Pull Request

on: pull_request

jobs:

build: name: Run Tests runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - uses: actions/setup-python@v2 with: python-version: '3.9'

  - name: ChainJacking tool test
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    run: |
      python -m pip install -q chainjacking
      python -m chainjacking -gt $GITHUB_TOKEN

CLI

ChainJacking module can be run as a CLI tool simply as

CLI Arguments

• -gt <token> - GitHub access token, to run queries on GitHub API (required)
• -p <path> - Path to scan. (default=current directory)
• -v - Verbose output mode
• -url <url> - Scan one or more GitHub URLs
• -f <path> - Scan one or more GitHub URLs from a file separated by new-line

Example: Scan a Go project

navigate your shell into a Go project's directory, and run:

python -m chainjacking -gt $GH_TOKEN

cli-example.mp4