ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack. Read more about it here
Requirements
- Python 3.6+ and pip
- Go and it's binaries >= 1.13
- GitHub token (for API queries)
-
💡 This token is used for read only purposes and does not require any permissions
-
Installation
pip install chainjacking
Using in CI Workflows
ChainJacking can be easily integrated into modern CI workflows to test new code contributions.
GitHub Actions
ci-example.mp4
Example configuration:
name: Pull Request
on:
pull_request
jobs:
build:
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/[email protected]
- uses: actions/[email protected]
with:
python-version: '3.9'
- name: ChainJacking tool test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python -m pip install -q chainjacking
python -m chainjacking -gt $GITHUB_TOKEN
CLI
ChainJacking module can be run as a CLI tool simply as
python -m chainjacking
CLI Arguments
-gt- GitHub access token, to run queries on GitHub API (required)-p- Path to scan. (default=current directory)-v- Verbose output mode-url- Scan one or more GitHub URLs-f- Scan one or more GitHub URLs from a file separated by new-line
Example: Scan a Go project
navigate your shell into a Go project's directory, and run:
python -m chainjacking -gt $GH_TOKEN
28 Oct 31, 2022
1 Feb 7, 2022
101 Dec 20, 2022
253 Jan 5, 2023
42 Dec 29, 2022
1 Jun 15, 2022
4 Dec 12, 2022
19 Dec 26, 2022
1 Nov 5, 2021
0 Jan 03, 2022
4 Mar 19, 2022
73 Dec 26, 2022
1 Oct 26, 2021
0 Jul 18, 2022
1.5k Nov 16, 2022
17 Oct 18, 2022
53 Sep 25, 2022
8 Nov 10, 2021
1 Dec 20, 2021
1 Oct 26, 2021
35 Dec 19, 2022
6 Oct 15, 2022
1 Nov 18, 2021
8 Jan 30, 2022
7 Aug 21, 2022
1 Nov 24, 2021
0 Dec 13, 2022
1 Dec 12, 2021
71 Jan 09, 2023