Skip to main content

ChainJacking

  • Free download
  • Supply Chain Security

Your Golang direct GitHub dependencies may be susceptible to ChainJacking attacks!

  • Credit: Checkmarx
  • License: MIT

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it here

Requirements

  • Python 3.6+ and pip
  • Go and it’s binaries >= 1.13
  • GitHub token (for API queries)
    • 💡 This token is used for read only purposes and does not require any permissions

Installation

pip install chainjacking

Using in CI Workflows

ChainJacking can be easily integrated into modern CI workflows to test new code contributions.

GitHub Actions

Example configuration:

name: Pull Request

on:
  pull_request

jobs:

  build:
    name: Run Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'

      - name: ChainJacking tool test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          python -m pip install -q chainjacking
          python -m chainjacking -gt $GITHUB_TOKEN

CLI

ChainJacking module can be run as a CLI tool simply as

python -m chainjacking

CLI Arguments

  • -gt <token> – GitHub access token, to run queries on GitHub API (required)
  • -p <path> – Path to scan. (default=current directory)
  • -v – Verbose output mode
  • -url <url> – Scan one or more GitHub URLs
  • -f <path> – Scan one or more GitHub URLs from a file separated by new-line

Example: Scan a Go project

navigate your shell into a Go project’s directory, and run:

python -m chainjacking -gt $GH_TOKEN

Example