ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack. Read more about it here
Requirements
- Python 3.6+ and pip
- Go and it's binaries >= 1.13
- GitHub token (for API queries)
-
💡 This token is used for read only purposes and does not require any permissions
-
Installation
pip install chainjacking
Using in CI Workflows
ChainJacking can be easily integrated into modern CI workflows to test new code contributions.
GitHub Actions
ci-example.mp4
Example configuration:
name: Pull Request
on:
pull_request
jobs:
build:
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/[email protected]
- uses: actions/[email protected]
with:
python-version: '3.9'
- name: ChainJacking tool test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python -m pip install -q chainjacking
python -m chainjacking -gt $GITHUB_TOKEN
CLI
ChainJacking module can be run as a CLI tool simply as
python -m chainjacking
CLI Arguments
-gt- GitHub access token, to run queries on GitHub API (required)-p- Path to scan. (default=current directory)-v- Verbose output mode-url- Scan one or more GitHub URLs-f- Scan one or more GitHub URLs from a file separated by new-line
Example: Scan a Go project
navigate your shell into a Go project's directory, and run:
python -m chainjacking -gt $GH_TOKEN
28 Oct 31, 2022
1 Feb 7, 2022
101 Dec 20, 2022
253 Jan 5, 2023
42 Dec 29, 2022
1 Jun 15, 2022
4 Dec 12, 2022
19 Dec 26, 2022
1 Nov 5, 2021
6 Nov 28, 2022
10 Nov 26, 2022
10 Dec 28, 2022
12 Dec 15, 2022
1 Feb 27, 2022
2 May 29, 2022
![Fw[a]rd](https://avatars.githubusercontent.com/u/18005538?v=4&s=60)
3 Jun 27, 2021
1 Nov 02, 2021
8 Aug 15, 2022
0 Oct 21, 2021
14 Oct 14, 2022
1 Jan 08, 2022
1 Nov 12, 2021
1 Nov 09, 2021
95 Feb 15, 2021
15 Oct 19, 2022
9 Jan 06, 2023
0 Feb 07, 2022
1.6k Dec 25, 2022
2 Oct 13, 2022