A free service by Checkmarx for the Open Source community that scans popular packages and alerts in cases there is a suspicion those packages' accounts were hacked.
Add ChainAlert's GitHub action to your repository to be notified in case of a suspected takeover of one of your dependencies. Giving you the chance to rapidly respond and protect yourself and your users.
For further reading about ChainAlert check out our blog.
Recent package takeover incidents such as coa and ua-parser-js have stressed the need for an alarm system to alert developers and users.
Learning the lessons of these supply chain incidents we've created ChainAlert, a monitoring service that will help minimize the damages from those attacks by closing the gap between takeover to detection and mitigation.
ChainAlert cloud service continuously monitor and analyse new releases of packages:
- Detection of newly added auto install scripts such as
install
,preinstall
,postinstall
- Checking the consistency of the version and if presented in the package's linked git repository tags
- Changes in package maintainers
If ChainAlert finds a suspicious activity of a package, it will automatically open GitHub issues on:
- The package's linked GitHub repo, to notify the maintainers of that activity
- Any package dependents' GitHub repo who's opted-in via this GitHub action
You need to add our GitHub action to your project as a cron job.
Create a dedicated workflow file under .github/workflows/chainalert.yml
name: ChainAlert
on:
schedule:
- cron: '0 0 * * *'
push:
branches: [ master ]
jobs:
chainalert:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: checkmarx/chainalert-github-action@v1
- 💡 This action and service are only available for public GitHub projects
- 💡 If our service stops receiving for more than 2 days, we will automatically opt you out
- NPM packages support
- PyPi packages support
- Private repos support
- Automatic pull-requests
For any further question please feel free to open an issue or contact us at [email protected]