badj/repoguard

# RepoGuard：安装前安全扫描器 ## 为什么要使用它？ 在现代供应链攻击中，恶意软件往往隐藏在众目睽睽之下——缝合在 tailwind.config.js 等配置文件的末尾，或者隐藏在 post-install 脚本中。此工具会扫描： - **数据窃取：** 尝试将数据发送到未知的外部 URL。 - **凭证盗窃：** 访问 .ssh 文件夹或 process.env 中的密钥。 - **混淆：** 包含十六进制/Base64 字符串的异常超长配置文件（超过 100 行）。 - **远程执行：** 使用 eval()、exec() 或 child_process。 ## 目录 - [入门指南](#getting-started) - [前置条件](#prerequisites) - [安装](#installation) - [项目结构](#project-structure) - [如何使用](#how-to-use) - [输出示例 – 未发现后门](#output-sample--no-backdoors-found) - [输出示例 – 发现后门](#output-sample--backdoors-found) - [检查内容](#what-it-checks) - [安全最佳实践](#safety-best-practices) - [待办事项](#to-do) - [贡献](#contributing) - [许可证](#license) ## 入门指南 ### 前置条件 1. 基于 Unix 的环境（Linux、macOS、WSL）。 2. 已安装 grep 和 wc_(大多数系统上均为标准配置)_。 [_⇡ 返回目录_](#table-of-contents) ### 安装 克隆此仓库或下载 check-repo.sh 文件，并赋予脚本可执行权限： ``` git clone https://github.com/badj/repoguard.git cd repoguard chmod +x check-repo.sh ``` [_⇡ 返回目录_](#table-of-contents) ### 项目结构 ``` repoguard ├── Article // local copy of article │ └── Real-world-malware-analysis-by-Ryan-Oberholzer.pdf ├── LICENSE ├── README.md ├── babel.config.js // Test Sample File ├── backend // Test Sample Folder │ └── package.json // Test Sample File ├── check-repo.sh // RepoGuard Bash Script ├── decoder-catch.js // Test Sample File ├── package.json // Test Sample File ├── postcss.config.js // Test Sample File ├── tailwind.config.js // Test Sample File ├── vulnerable_test.ts // Test Sample File └── webpack.config.js // Test Sample File 3 directories, 12 files ``` [_⇡ 返回目录_](#table-of-contents) ### 如何使用 将 [脚本 - check-repo.sh](check-repo.sh) 移动到你要检查的项目的根目录中，然后运行： ``` ./check-repo.sh ``` [_⇡ 返回目录_](#table-of-contents) ### 输出示例 – 未发现后门 ``` jjbadenhorst:repoguard (main) % chmod +x check-repo.sh jjbadenhorst:repoguard (main) % ./check-repo.sh --- 1. Dangerous patterns (eval, exec, private keys) --- (none found) --- 2. Base64 / encoded strings --- (none found) --- 3. Config file lengths (obfuscation = very long) --- (none found) --- 4. Post install / preinstall scripts --- (none found) --- 5. Suspicious dependencies (0.0.0, 0.0.1) --- (none found) === DONE === Review the output above. If you see: - Unknown external URLs (not Infura, Alchemy, your backend) - process.env.Wallet* or process.env.*Private* sent anywhere - Config files with 100+ lines (scroll to end and look for hex/obfuscation) - post install scripts from unknown packages -> DO NOT RUN npm install or npm start. Investigate further or run in Docker only! ``` ### 输出示例 – 发现后门 ``` jjbadenhorst:repoguard (main) % ./check-repo.sh --- 1. Dangerous patterns (eval, exec, private keys) --- ./vulnerable_test.ts:8: eval(input); // Should be caught ./vulnerable_test.ts:13:child_process.exec(command); // Should be caught ./vulnerable_test.ts:16:const dynamicFunction = new Function('a', 'b', 'return a + b'); // Should be caught ./vulnerable_test.ts:20: apiKey: process.env.PrivateKey, // Should be caught ./vulnerable_test.ts:21: walletId: process.env.WalletAddress, // Should be caught ./vulnerable_test.ts:22: token: process.env.SecretToken, // Should be caught ./vulnerable_test.ts:23: encryption: process.env.EKEY_VALUE, // Should be caught --- 2. Base64 / encoded strings --- ./decoder-catch.js:8: Buffer[at(0x66)](s1, r)[aw(0x68)+au(0x4c)](t) // Buffer.from(s1, 'base64').toString('utf8') // Should be caught --- 3. Config file lengths (obfuscation = very long) --- tailwind.config.js: 126 lines ^ WARNING: Config > 100 lines - scroll to end and check for obfuscated code webpack.config.js: 126 lines ^ WARNING: Config > 100 lines - scroll to end and check for obfuscated code babel.config.js: 126 lines ^ WARNING: Config > 100 lines - scroll to end and check for obfuscated code postcss.config.js: 126 lines ^ WARNING: Config > 100 lines - scroll to end and check for obfuscated code --- 4. Post install / preinstall scripts --- package.json: "postinstall": "npx ShouldBeCaught test 1", package.json: "preinstall": "npx ShouldBeCaught test 2", package.json: "prepare": "npx ShouldBeCaught test 3" backend/package.json: "postinstall": "npx ShouldBeCaught test 1", backend/package.json: "preinstall": "npx ShouldBeCaught test 2", backend/package.json: "prepare": "npx ShouldBeCaught test 3" --- 5. Suspicious dependencies (0.0.0, 0.0.1) --- package.json: "@catchMe/test4ShouldBeCaught": "0.0.0", package.json: "@catchMe/test5ShouldBeCaught": "0.0.1", backend/package.json: "@catchMe/test4ShouldBeCaught": "0.0.0", backend/package.json: "@catchMe/test5ShouldBeCaught": "0.0.1", === DONE === Review the output above. If you see: - Unknown external URLs (not Infura, Alchemy, your backend) - process.env.Wallet* or process.env.*Private* sent anywhere - Config files with 100+ lines (scroll to end and look for hex/obfuscation) - post install scripts from unknown packages -> DO NOT RUN npm install or npm start. Investigate further or run in Docker only! ``` [_⇡ 返回目录_](#table-of-contents) ### 检查内容 1. **危险代码：** 查找 eval、exec 以及对私钥的引用。 2. **编码：** 检测用于隐藏恶意 payload 的 Base64 或 Buffer 调用。 3. **配置完整性：** 标记异常过长的配置文件（如 Tailwind、Webpack 等）。 4. **生命周期钩子：** 扫描 package.json 中自动运行代码的 pre-install 或 post-install 脚本。 5. **可疑依赖：** 标记使用 0.0.0 等占位符版本的包。 [_⇡ 返回目录_](#table-of-contents) ## 安全最佳实践 - 绝不要盲目相信“技术评估”。如果招聘人员催促你立即运行代码，请保持警惕。 - 使用 Docker。如果你必须运行代码，请在一个未挂载 home 目录的容器中运行它。 - 查看输出结果。此脚本只是一个辅助工具，并不提供绝对保证。 - 如果它标记了一个 500 行的 tailwind.config.js，请打开该文件并滚动到底部！ [_⇡ 返回目录_](#table-of-contents) ## 待办事项 1. [使用 BATS-CORE 创建测试覆盖率，并创建 GitHub Actions/工作流以运行 CI/CD 测试](https://github.com/badj/repoguard/issues/1) 2. [创建 RepoGuard npm 包，安装并发布到 npm registry](https://github.com/badj/repoguard/issues/2) [_⇡ 返回目录_](#table-of-contents) ## 贡献 发现了新的恶意软件模式？请提交 Issue 或 Pull Request 来更新 grep 模式。 [_⇡ 返回目录_](#table-of-contents) ## 许可证 在 MIT 许可证下分发。更多信息请参见 LICENSE。 **免责声明：** 本工具仅用于教育和审计目的。它无法检测出 100% 的所有威胁。运行不受信任的代码时，请始终运用你的最佳判断力。 [_⇡ 返回目录_](#table-of-contents)

标签：DAST, DNS 反向解析, Git克隆, npm安全, T1027, T1059.004, T1059.007, T1071.001, T1082, T1083, T1195.002, T1555, 代码混淆, 凭据窃取, 后门检测, 安全扫描, 应用安全, 恶意软件分析, 数据窃取, 无线安全, 时序注入, 网络安全审计, 自定义脚本, 远程执行, 错误基检测, 静态代码分析