Home

Awesome

readme cover image

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to RepoJacking attack. Read more about it here

repojacking explained

Requirements

Installation

pip install chainjacking

Using in CI Workflows

ChainJacking can be easily integrated into modern CI workflows to test new code contributions.

GitHub Actions

https://user-images.githubusercontent.com/1287098/142009618-5eb5d87c-a001-4536-abf3-c5d06216e1b6.mp4

Example configuration:

name: Pull Request

on:
  pull_request

jobs:

  build:
    name: Run Tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'

      - name: ChainJacking tool test
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          python -m pip install -q chainjacking
          python -m chainjacking -gt $GITHUB_TOKEN

CLI

ChainJacking module can be run as a CLI tool simply as

python -m chainjacking

CLI Arguments

Example: Scan a Go project

navigate your shell into a Go project's directory, and run:

python -m chainjacking -gt $GH_TOKEN

https://user-images.githubusercontent.com/1287098/142020377-c873716d-c080-418b-8597-f9e08dba3e82.mp4