/chainalert-github-action

scans popular packages and alerts in cases there is suspicion of an account takeover

Primary LanguageJavaScriptApache License 2.0Apache-2.0

cover

ChainAlert

A free service by Checkmarx for the Open Source community that scans popular packages and alerts in cases there is a suspicion those packages' accounts were hacked.

Add ChainAlert's GitHub action to your repository to be notified in case of a suspected takeover of one of your dependencies. Giving you the chance to rapidly respond and protect yourself and your users.

For further reading about ChainAlert check out our blog.

The Need

Recent package takeover incidents such as coa and ua-parser-js have stressed the need for an alarm system to alert developers and users.

Learning the lessons of these supply chain incidents we've created ChainAlert, a monitoring service that will help minimize the damages from those attacks by closing the gap between takeover to detection and mitigation.

What It Does?

ChainAlert cloud service continuously monitor and analyse new releases of packages:

  • Detection of newly added auto install scripts such as install, preinstall, postinstall
  • Checking the consistency of the version and if presented in the package's linked git repository tags
  • Changes in package maintainers

Group 468

If ChainAlert finds a suspicious activity of a package, it will automatically open GitHub issues on:

  • The package's linked GitHub repo, to notify the maintainers of that activity
  • Any package dependents' GitHub repo who's opted-in via this GitHub action

111 Frame 240

How Do I Opt In?

You need to add our GitHub action to your project as a cron job.

Create a dedicated workflow file under .github/workflows/chainalert.yml

name: ChainAlert
on:
  schedule:
    - cron:  '0 0 * * *'
  push:
    branches: [ master ]
jobs:
  chainalert:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: checkmarx/chainalert-github-action@v1
  • 💡 This action and service are only available for public GitHub projects
  • 💡 If our service stops receiving for more than 2 days, we will automatically opt you out

Features

  • NPM packages support

WIP

  • PyPi packages support
  • Private repos support
  • Automatic pull-requests

Contact

For any further question please feel free to open an issue or contact us at supplychainsecurity@checkmarx.com