Checkmarx/chainjacking

Code Analysis Tools

Stars
55
Rank 537,381 (Top 11 %)
Language
Python
License
Apache License 2.0
Created almost 3 years ago
Updated over 2 years ago

Checkmarx/chainjacking

Checkmarx

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it here

Requirements

Python 3.6+ and pip
Go and it's binaries >= 1.13
GitHub token (for API queries)
- 💡 This token is used for read only purposes and does not require any permissions

Installation

pip install chainjacking

Using in CI Workflows

ChainJacking can be easily integrated into modern CI workflows to test new code contributions.

GitHub Actions

ci-example.mp4

Example configuration:

name: Pull Request

on:
  pull_request

jobs:

  build:
    name: Run Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'

      - name: ChainJacking tool test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          python -m pip install -q chainjacking
          python -m chainjacking -gt $GITHUB_TOKEN

CLI

ChainJacking module can be run as a CLI tool simply as

python -m chainjacking

CLI Arguments

-gt <token> - GitHub access token, to run queries on GitHub API (required)
-p <path> - Path to scan. (default=current directory)
-v - Verbose output mode
-url <url> - Scan one or more GitHub URLs
-f <path> - Scan one or more GitHub URLs from a file separated by new-line

Example: Scan a Go project

navigate your shell into a Go project's directory, and run:

python -m chainjacking -gt $GH_TOKEN

cli-example.mp4

kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

Open Policy Agent

capital

A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. Use c{api}tal to learn, train and exploit API Security vulnerabilities within your own API Security CTF.

JS-SCP

JavaScript Secure Coding Practices guide

2ms

Too many secrets (2MS) helps people protect their secrets on any file or on systems like CMS, chats and git

kics-github-action

GitHub actions of KICS scan - Keeping Infrastructure as Code Secure

chainalert-github-action

scans popular packages and alerts in cases there is suspicion of an account takeover

ast-cli

A CLI project wrapping application security testing (AST) APIs

dustilock

DustiLock is a tool to find which of your dependencies is susceptible to a Dependency Confusion attack.

Goatlin

(aka Kotlin Goat) - an intentionally vulnerable Kotlin application

cuteboi

This open-source project tracks CuteBoi's activity over time as there are evidence the actor is still active. All information provided here is intended for research purposes.

Kotlin-SCP

Kotlin Secure Coding Practices is a guide written for anyone using Kotlin for mobile development.

ast-github-action

Checkmarx application security testing (AST) GitHub action

WebViewGoat

A deliberately vulnerable Android application to demonstrate exfiltration scenarios

red-lili

This open-source project tracks RED-LILI's activity over time as there are evidence the actor is still active. All information provided here is intended for research purposes.

ast-vscode-extension

The Checkmarx One Visual Studio Code plugin (extension) enables you to import results from a Checkmarx One scan directly into your VS Code console. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor.

kics-cdk-validator-plugin

A KICS plugin for AWS CDK

driffty

Cloud Infrastructure Security Drift Detection - for KICS

Open Policy Agent

ci-cd-integrations

If you are using a CI/CD platform that doesn’t yet have a dedicated Checkmarx plugin, please check this repository.

swag

ast-azure-plugin

The CxAST Azure DevOps plugin enables you to trigger SAST, SCA, and KICS scans directly from an Azure DevOps pipeline.

sast-to-ast-export

CLI tool to export data from CxSAST and import into Checkmarx Application Security Testing Platform

ast-teamcity-plugin

The CxAST TeamCity plugin enables you to trigger SAST, SCA, and KICS scans directly from a TeamCity project.

ast-eclipse-plugin

The CxAST Eclipse plugin enables you to import results from a CxAST scan directly into your IDE. You can view the vulnerabilities that were identified in your source code and navigate directly to the vulnerable code in the editor.

dast-github-action

API-Security-Top-10

ast-visual-studio-extension

The CxAST Visual Studio plugin enables you to import results from a CxAST scan directly into your IDE

JobDeCrypter

A decryption tool for the JobCrypter ransomware

homebrew-ast-cli

NFCdrip

solidity-ddenv

Containerized Solidity Decentralized App Development Environment

kics-codefresh-step

ast-jetbrains-plugin

The CxAST JetBrains plugin enables you to import results from a CxAST scan directly into your IDE.

nexus-security-plugin

SmartBulbExfil

kics-orb

vorpal-reviewdog-github-action

Run Vorpal with reviewdog 🐶