Research
Security News
Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
hawkeye-scanner
Advanced tools
Hawkeye is a project security, vulnerability and general risk highlighting tool. It has a few goals:
Hi! I don't have time to support hawkeye moving forward, so I am actively looking for maintainers. I you've got an interest in this project and fancy helping out - please reach out to me!
1.0.0
many of the modules have had their identifiers changed and prefixed for langues added to them, for example npmaudit
is now node-npmaudit
. This means you will need to udpate your .hawkeyerc
files, and any commands where you explicitly specify modules eg hawkeye scan -m thing
.Modules are basically little bits of code that either implement their own logic, or wrap a third party tool and standardise the output. They only run if the required criteria are met, for example; the npm outdated
module would only run if a package.json
is detected in the scan target - as a result, you don't need to tell Hawkeye what type of project you are scanning. The modules implemented so far are:
id_rsa
, things that end in pem
, etc.mvn package
or gradle stage
.mvn package
or gradle stage
.I really, really do welcome people writing new modules so please check out lib/modules/example-shell/index.js as an example of how simple it is, and send me a pull request.
-m entropy
switch. Personally I use this manually checking over code bases I have inherited.I wanted Hawkeye to be as flexible as possible, as a result it supports numerous methods of execution.
As Hawkeye wraps a lot of other dependencies, the easiest way to run it is using docker. Simply type docker run --rm -v $PWD:/target stono/hawkeye
.
Lets say you have project which has a Dockerfile
, with lines like this in:
COPY . /app
VOLUME /app
You could add hawkeye to your compose file like this:
services:
app:
build: .
hawkeye:
image: stono/hawkeye
command: scan -t /app
volumes_from:
- app
You can simply do docker-compose run --rm --no-deps hawkeye
. Woo hoo.
If you want, you can do npm install -g hawkeye-scanner
, and type hawkeye scan
instead. However, this will require you to have all of the other dependencies installed on your host for the modules that you're wanting to scan with.
This is an example of running Hawkeye against one of your projects in GoCD:
<pipeline name="security-scan">
<stage name="Hawkeye" cleanWorkingDir="true">
<jobs>
<job name="scan">
<tasks>
<exec command="docker">
<arg>pull</arg>
<arg>stono/hawkeye</arg>
<runif status="passed" />
</exec>
<exec command="bash">
<arg>-c</arg>
<arg>docker run --rm -v $PWD:/target stono/hawkeye</arg>
<runif status="passed" />
</exec>
</tasks>
</job>
</jobs>
</stage>
</pipeline>
This is an example of running Hawkeye from an npm package.json against a local repository before commit, failing the commit if high or critical issues are found:
{
"name": "demoproj",
"version": "1.0.0",
"description": "demo",
"main": "app.js",
"dependencies": {
"express": "4.16.2"
},
"devDependencies": {
"pre-commit": "^1.2.2"
},
"scripts": {
"hawkeye:pre-commit": "hawkeye scan -t ./src -m contents -m files -f high"
},
"pre-commit": [
"hawkeye:pre-commit"
],
"author": "",
"license": "ISC"
}
As of version 0.9.0
, you can use the familiar .hawkeyerc
and .hawkeyeignore
pattern in your project root.
This file takes all the same options as hawkeye scan --help
. In this example, we'll run the contents
, entropy
, files
, npm outdated
and npm audit
{
"modules": ["contents", "entropy", "files", "node-npmoutdated", "node-npmaudit"],
"failOn": "medium"
}
This file should be a collection of patterns to exclude from the scan, and is equivalent to running --exclude
.
^test/
README.md
hawkeye scan
There are a few options available:
Hawkeye by default will attempt to detect a .git folder in your target, if it is there it will only scan git tracked files. Further to that, if a .git-crypt folder is detected, we will also exclude files which are GPG encrypted. If there is no .git in the target directory, then all files will be scanned.
You can override this behaviour with the --all
flag, which will scan all files regardless.
From a pipeline perspective, the --fail-on
command is useful, you might not wish for low
items to break your build, so you could use --fail-on medium
.
By default Hawkeye will look in your current working directory. You can override this behaviour though by specifying a --target
If you want to run specific modules only, you can use the --module
flag, which can be specified multiple times. For example hawkeye scan -m node-npmaudit -m node-npmoutdated
would run just the npm audit
and npm outdated
modules.
The --json
paramter allows you to write a much more detailed report to a file. See the Json section below for more information
This will post the results to a SumoLogic HTTP collector. See the SumoLogic section below for more information.
This parameter (which can be specified multiple times) allows you to specify patterns you wish to be excluded from the scan. For example hawkeye scan -e "^test/"
would exclude all your test files. All paths are relative to the --target
.
There are some global exclusions in place, and those are "^.git", "^.git-crypt" and "^node_modules".
The --file-limit
allows you to set a higher file limit thab the default (1000). This is useful when the target directory includes more files.
hawkeye modules
You can view the module status with hawkeye modules
. As previously mentioned you can see that entropy is disabled by default. If you want to run it, use the -m entropy
flag.
$ hawkeye modules
[info] Welcome to Hawkeye v0.11.0!
[info] Bundler Scan dynamically loaded
[info] File Contents dynamically loaded
[info] Entropy dynamically loaded
[info] Example Module dynamically loaded
[info] Secret Files dynamically loaded
[info] Node Check Updates dynamically loaded
[info] Node Security Project dynamically loaded
Module Status
[info] Enabled: Credit Card Numbers (ccnumber)
Scans files for potential credit card numbers
[info] Enabled: File Contents (contents)
Scans files for dangerous content
[info] Disabled: Entropy (entropy)
Scans files for strings with high entropy
[info] Disabled: Example Module (example-shell)
Example of how to write a module and shell out a command
[info] Enabled: Secret Files (files)
Scans for known secret files
[info] Enabled: FindSecBugs Scan (java-find-secbugs)
FindSecBugs find common security issues in Java code.
[info] Enabled: Owasp Dependency Check Scan (java-owasp)
Scan the dependencies of a Java project.
[info] Disabled: Node Constant Hashtable Seed check (node-chs)
Scans a package.json to check for CHS issues.
[info] Enabled: Node CrossEnv malware check (node-crossenv)
Scans a package.json for known malicious crossenv packages
[info] Enabled: npm audit (node-npmaudit)
Checks for known security vulnerabilities in your npm dependencies
[info] Enabled: npm outdated (node-npmoutdated)
Checks for outdated npm modules
[info] Enabled: Bandit Scan (python-bandit)
Bandit find common security issues in Python code.
[info] Enabled: Python Outdated Dependencies Scan (python-piprot)
Scans a requirements.txt for out of date packages
[info] Enabled: Safety Scan (python-safety)
Safety checks your installed dependencies for known security vulnerabilities.
[info] Enabled: Brakeman Scan (ruby-brakeman)
Brakeman statically analyzes Rails application code to find security issues.
[info] Enabled: Bundler Scan (ruby-bundler-scan)
Scan for Ruby gems with known vulnerabilities
At the moment, Hawkeye supports three output writers.
The default summary output to your console looks something like this. The log information is written to stdout
and the errors found to stderr
in a console parsable tablular output
$ hawkeye scan
[info] Welcome to Hawkeye v0.11.0!
[info] File Contents dynamically loaded
[info] Entropy dynamically loaded
[info] Example Module dynamically loaded
[info] Secret Files dynamically loaded
[info] Node Check Updates dynamically loaded
[info] Node Security Project dynamically loaded
[info] git repo detected, will only use git tracked files
[info] git-crypt detected, excluding files covered by GPG encryption
[info] -> git-crypt status -e
[info] Files excluded by git-crypt: 0
[info] -> git ls-tree --full-tree --name-only -r HEAD
[info] Files included in scan: 62
[info] Target for scan: /Users/kstoney/git/stono/hawkeye
[info] Fail at level: low
[info] Running module File Contents
[info] Running module Secret Files
[info] Running module npm audit
[info] -> npm audit --json
[info] Running module npm outdated
[info] -> npm outdated --json
[info] scan complete, 16 issues found
[info] Doing writer: console
level description offender mitigation
-------- ----------------------------------------------------------------- -------------------------------- -------------------------------------------------
critical Incorrect Handling of Non-Boolean Comparisons During Minification uglify-js https://nodesecurity.io/advisories/39
critical Private SSH key regex_rsa Check contents of the file
critical Private SSH key id_rsa Check contents of the file
critical Potential cryptographic private key cert.pem Check contents of the file
critical Private key in file some_file_with_private_key_in.md Check line number: 1
critical Found 1 dependencies with critical-severity vulnerabilities Vulnerable npm dependency Run npm audit for further information
high Regular Expression Denial of Service negotiator https://nodesecurity.io/advisories/106
high Module is one or more major versions out of date nodemailer Update to 4.0.1
high GNOME Keyring database file keyring Check contents of the file
high Found 5 dependencies with high-severity vulnerabilities Vulnerable npm dependency Run npm audit for further information
medium Regular Expression Denial of Service uglify-js https://nodesecurity.io/advisories/48
medium Module is one or more minor versions out of date express Update to 4.15.2
medium Rubygems credentials file gem/credentials Might contain API key for a rubygems.org account.
medium Module is one or more minor versions out of date morgan Update to 1.8.1
medium Module is one or more minor versions out of date serve-favicon Update to 2.4.2
medium Module is one or more minor versions out of date body-parser Update to 1.17.1
medium Module is one or more minor versions out of date debug Update to 2.6.3
low Contains words: private, key some_file_with_private_key_in.md Check contents of the file
I plan to add options to supress log outputs etc in the future, but for now if you want to parse this output, you can supress the logs and just output the table like this:
$ (hawkeye scan >/dev/null) 2>&1 | tail -n +3
critical Incorrect Handling of Non-Boolean Comparisons During Minification uglify-js https://nodesecurity.io/advisories/39
critical Private SSH key regex_rsa Check contents of the file
critical Private SSH key id_rsa Check contents of the file
critical Potential cryptographic private key cert.pem Check contents of the file
critical Private key in file some_file_with_private_key_in.md Check line number: 1
high Regular Expression Denial of Service negotiator https://nodesecurity.io/advisories/106
high Module is one or more major versions out of date nodemailer Update to 4.0.1
high GNOME Keyring database file keyring Check contents of the file
medium Regular Expression Denial of Service uglify-js https://nodesecurity.io/advisories/48
medium Module is one or more minor versions out of date express Update to 4.15.2
medium Rubygems credentials file gem/credentials Might contain API key for a rubygems.org account.
medium Module is one or more minor versions out of date morgan Update to 1.8.1
medium Module is one or more minor versions out of date serve-favicon Update to 2.4.2
medium Module is one or more minor versions out of date body-parser Update to 1.17.1
medium Module is one or more minor versions out of date debug Update to 2.6.3
low Contains words: private, key some_file_with_private_key_in.md Check contents of the file
Here are some other handy examples:
(hawkeye scan >/dev/null) 2>&1 | tail -n +3 | grep critical
- output just critical itemsAnother option is for you to use a different output writer, for example...
You can output much more information in the form of a JSON artefact that groups by executed module.
Check out a sample here
The output of Hawkeye can be sent to a SumoLogic HTTP collector of your choice. In this example, I have a collector of hawkeye
, with a single HTTP source.
hawkeye scan --sumo https://collectors.us2.sumologic.com/receiver/v1/http/your-http-collector-url
...
[info] Doing writer: sumologic
[info] sending 16 results to SumoLogic
And in sumo logic, search for _collector="hawkeye" | json auto
:
The idea is that this project should be super extensible, I want people to write new handlers with ease. Simply create a handler in lib/modules
which exposes the following signature:
--module
The first argument passed is results
, this is where the module should send its results to, it exposes four methods for each 'level' of issue found, critical
, high
, medium
and low
. Those methods expect you to pass something like this:
results.critial('offender', 'description', 'extra', { additional: 'data' });
FAQs
A container that runs some scans on your app
We found that hawkeye-scanner demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.
Product
Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.