ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Last update: Nov 02, 2022

Overview

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack. Read more about it here

Requirements

Python 3.6+ and pip
Go and it's binaries >= 1.13
GitHub token (for API queries)
- 💡 This token is used for read only purposes and does not require any permissions

Installation

pip install chainjacking

Using in CI Workflows

ChainJacking can be easily integrated into modern CI workflows to test new code contributions.

GitHub Actions

ci-example.mp4

Example configuration:

name: Pull Request

on:
  pull_request

jobs:

  build:
    name: Run Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/[email protected]
      - uses: actions/[email protected]
        with:
          python-version: '3.9'

      - name: ChainJacking tool test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          python -m pip install -q chainjacking
          python -m chainjacking -gt $GITHUB_TOKEN

CLI

ChainJacking module can be run as a CLI tool simply as

python -m chainjacking

CLI Arguments

-gt - GitHub access token, to run queries on GitHub API (required)
-p - Path to scan. (default=current directory)
-v - Verbose output mode
-url - Scan one or more GitHub URLs
-f - Scan one or more GitHub URLs from a file separated by new-line

Example: Scan a Go project

navigate your shell into a Go project's directory, and run:

python -m chainjacking -gt $GH_TOKEN

cli-example.mp4

You might also like...

Automated GitHub profile content using the USGS API, Plotly and GitHub Actions.

Top 20 Largest Earthquakes in the Past 24 Hours Location Mag Date and Time (UTC) 92 km SW of Sechura, Peru 5.2 11-05-2021 23:19:50 113 km NNE of Lobuj

28 Oct 31, 2022

Dicionario-git-github - Dictionary created to help train new users of Git and GitHub applications

Dicionário 📕 Dicionário criado com o objetivo de auxiliar no treinamento de nov

1 Feb 7, 2022

Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

SysWhispers2BOF Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs. Introduction This script was initially created to fix specific

101 Dec 20, 2022

Direct Multi-view Multi-person 3D Human Pose Estimation

Implementation of NeurIPS-2021 paper: Direct Multi-view Multi-person 3D Human Pose Estimation [paper] [video-YouTube, video-Bilibili] [slides] This is

253 Jan 5, 2023

APRS Track Direct is a collection of tools that can be used to run an APRS website

APRS Track Direct APRS Track Direct is a collection of tools that can be used to run an APRS website. You can use data from APRS-IS, CWOP-IS, OGN, HUB

42 Dec 29, 2022

Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

1 Jun 15, 2022

Add your recently blog and douban states in your GitHub Profile

4 Dec 12, 2022

tox-gh is a tox plugin which helps running tox on GitHub Actions with multiple different Python versions on multiple workers in parallel

tox-gh is a tox plugin which helps running tox on GitHub Actions with multiple different Python versions on multiple workers in parallel. This project is inspired by tox-travis.

19 Dec 26, 2022

Fetch PRs from GitHub and analyze which ones are unmergeable

Set up token Generate a personal access token on GitHub. Add repo permissions. export GH_TOKEN="abcdefg" Pull PR data make Usually, GitHub doesn't h

1 Nov 5, 2021

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Related tags

Overview

Requirements

Installation

Using in CI Workflows

GitHub Actions

CLI

CLI Arguments

Example: Scan a Go project

You might also like...

Automated GitHub profile content using the USGS API, Plotly and GitHub Actions.

Dicionario-git-github - Dictionary created to help train new users of Git and GitHub applications

Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

Direct Multi-view Multi-person 3D Human Pose Estimation

APRS Track Direct is a collection of tools that can be used to run an APRS website

Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

Add your recently blog and douban states in your GitHub Profile

tox-gh is a tox plugin which helps running tox on GitHub Actions with multiple different Python versions on multiple workers in parallel

Fetch PRs from GitHub and analyze which ones are unmergeable

Releases(v1.1.2)

v1.1.2(Nov 16, 2021)

1.1.2 (2021-11-16)

Bug Fixes

v1.1.1(Nov 16, 2021)

1.1.1 (2021-11-16)

Bug Fixes

v1.1.0(Nov 16, 2021)

Owner

Checkmarx

Blender addon that simplifies access to useful operators and adds missing functionality

A Python version of Canvacord

Template (v0) do Sistema Chatbot - atividade síncrona - INE5404

🦕 Compile Deno executables and compress them for all platforms easily

LTGen provides classic algorithms used in Language Theory.

Python programs, usually short, of considerable difficulty, to perfect particular skills.

Insert a Spotify Playlist, Get a list of YouTube URLs from it.

Datamol is a python library to work with molecules.

dotfiles - Cristian Valero Abundio

A simple app that helps to train quick calculations.

Python 100daysofcode

WMIC Serial Checker For Python

pybind11 — Seamless operability between C++11 and Python

Glyph Metadata Palette

Webcash is an experimental e-cash (electronic cash)

Scientific color maps and standardization tools

Python API for HotBits random data generator

Zotero references script (and app)

A clipboard where a user can add and retrieve multiple items to and from (resp) from the clipboard cache.

An Advanced Wordlist Library Written In Python For Acm114