ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack. Read more about it here
Requirements
- Python 3.6+ and pip
- Go and it's binaries >= 1.13
- GitHub token (for API queries)
-
💡 This token is used for read only purposes and does not require any permissions
-
Installation
pip install chainjacking
Using in CI Workflows
ChainJacking can be easily integrated into modern CI workflows to test new code contributions.
GitHub Actions
ci-example.mp4
Example configuration:
name: Pull Request
on:
pull_request
jobs:
build:
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/[email protected]
- uses: actions/[email protected]
with:
python-version: '3.9'
- name: ChainJacking tool test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python -m pip install -q chainjacking
python -m chainjacking -gt $GITHUB_TOKEN
CLI
ChainJacking module can be run as a CLI tool simply as
python -m chainjacking
CLI Arguments
-gt- GitHub access token, to run queries on GitHub API (required)-p- Path to scan. (default=current directory)-v- Verbose output mode-url- Scan one or more GitHub URLs-f- Scan one or more GitHub URLs from a file separated by new-line
Example: Scan a Go project
navigate your shell into a Go project's directory, and run:
python -m chainjacking -gt $GH_TOKEN
28 Oct 31, 2022
1 Feb 7, 2022
101 Dec 20, 2022
253 Jan 5, 2023
42 Dec 29, 2022
1 Jun 15, 2022
4 Dec 12, 2022
19 Dec 26, 2022
1 Nov 5, 2021
49 Jul 10, 2022
0 Jun 30, 2022
3 Oct 27, 2022
96 Jan 02, 2023
1 Feb 08, 2022
1 Nov 22, 2022
1 Nov 18, 2021
7 Mar 20, 2022
51 Dec 22, 2022
1 Jul 16, 2021
2 Dec 16, 2021
2 Sep 28, 2022
108 Dec 08, 2022
5 Feb 23, 2022
1 Mar 05, 2022
3 Oct 04, 2022
4 Oct 13, 2022
408 Dec 20, 2022
4 Feb 18, 2022
3 Nov 17, 2022