GithubHelp home page GithubHelp logo

nova-8 / chainalert-github-action Goto Github PK

View Code? Open in Web Editor NEW

This project forked from checkmarx/chainalert-github-action

0.0 0.0 0.0 26 KB

scans popular packages and alerts in cases there is suspicion of an account takeover

Home Page: https://github.com/marketplace/actions/chainalert

License: Apache License 2.0

JavaScript 100.00%

chainalert-github-action's Introduction

cover

ChainAlert

A free service by Checkmarx for the Open Source community that scans popular packages and alerts in cases there is a suspicion those packages' accounts were hacked.

Add ChainAlert's GitHub action to your repository to be notified in case of a suspected takeover of one of your dependencies. Giving you the chance to rapidly respond and protect yourself and your users.

For further reading about ChainAlert check out our blog.

The Need

Recent package takeover incidents such as coa and ua-parser-js have stressed the need for an alarm system to alert developers and users.

Learning the lessons of these supply chain incidents we've created ChainAlert, a monitoring service that will help minimize the damages from those attacks by closing the gap between takeover to detection and mitigation.

What It Does?

ChainAlert cloud service continuously monitor and analyse new releases of packages:

  • Detection of newly added auto install scripts such as install, preinstall, postinstall
  • Checking the consistency of the version and if presented in the package's linked git repository tags
  • Changes in package maintainers

Group 468

If ChainAlert finds a suspicious activity of a package, it will automatically open GitHub issues on:

  • The package's linked GitHub repo, to notify the maintainers of that activity
  • Any package dependents' GitHub repo who's opted-in via this GitHub action

111 Frame 240

How Do I Opt In?

You need to add our GitHub action to your project as a cron job.

Create a dedicated workflow file under .github/workflows/chainalert.yml

name: ChainAlert
on:
  schedule:
    - cron:  '0 0 * * *'
  push:
    branches: [ master ]
jobs:
  chainalert:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: checkmarx/chainalert-github-action@v1
  • ๐Ÿ’ก This action and service are only available for public GitHub projects
  • ๐Ÿ’ก If our service stops receiving for more than 2 days, we will automatically opt you out

Features

  • NPM packages support

WIP

  • PyPi packages support
  • Private repos support
  • Automatic pull-requests

Contact

For any further question please feel free to open an issue or contact us at [email protected]

chainalert-github-action's People

Contributors

aviadg avatar baruchiro avatar jossef avatar kaplanlior avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.