ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it here
- Python 3.6+ and pip
- Go and it's binaries >= 1.13
- GitHub token (for API queries)
- ๐ก This token is used for read only purposes and does not require any permissions
pip install chainjacking
ChainJacking can be easily integrated into modern CI workflows to test new code contributions.
ci-example.mp4
Example configuration:
name: Pull Request
on:
pull_request
jobs:
build:
name: Run Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- uses: actions/setup-python@v2
with:
python-version: '3.9'
- name: ChainJacking tool test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
python -m pip install -q chainjacking
python -m chainjacking -gt $GITHUB_TOKEN
ChainJacking module can be run as a CLI tool simply as
python -m chainjacking
-gt <token>
- GitHub access token, to run queries on GitHub API (required)-p <path>
- Path to scan. (default=current directory)-v
- Verbose output mode-url <url>
- Scan one or more GitHub URLs-f <path>
- Scan one or more GitHub URLs from a file separated by new-line
navigate your shell into a Go project's directory, and run:
python -m chainjacking -gt $GH_TOKEN