ChainAlert
ChainAlert
A free service by Checkmarx for the Open Source community that scans popular packages and alerts in cases there is a suspicion those packages’ accounts were hacked.
Add ChainAlert’s GitHub action to your repository to be notified in case of a suspected takeover of one of your dependencies. Giving you the chance to rapidly respond and protect yourself and your users.
For further reading about ChainAlert check out our blog.
The Need
Recent package takeover incidents such as coa and ua-parser-js have stressed the need for an alarm system to alert developers and users.
Learning the lessons of these supply chain incidents we’ve created ChainAlert, a monitoring service that will help minimize the damages from those attacks by closing the gap between takeover to detection and mitigation.
What Does it Do?
ChainAlert cloud service continuously monitor and analyse new releases of packages:
- Detection of newly added auto install scripts such as
install,preinstall,postinstall - Checking the consistency of the version and if presented in the package’s linked git repository tags
- Changes in package maintainers
If ChainAlert finds a suspicious activity of a package, it will automatically open GitHub issues on:
- The package’s linked GitHub repo, to notify the maintainers of that activity
- Any package dependents’ GitHub repo who’s opted-in via this GitHub action
How Do I Opt In?
You need to add our GitHub action to your project as a cron job.
Create a dedicated workflow file under .github/workflows/chainalert.yml
For an example click here
- 💡 This action and service are only available for public GitHub projects
- 💡 If our service stops receiving for more than 2 days, we will automatically opt you out
Features
- NPM packages support
WIP
- PyPi packages support
- Private repos support
- Automatic pull-requests
Contact
For any further question please feel free to open an issue or contact us at [email protected]