Autonomous AI Supply Chain Attack Simulator by Breachline Labs
Project description
ChainReaper
Autonomous AI Supply Chain Attack Simulator by Breachline Labs
The world's first fully LLM-driven supply chain security tool. Zero hardcoded rules -- an autonomous AI agent reasons about attack paths, simulates real supply chain attacks across 7 ecosystems, and generates interactive attack graph visualizations.
Why ChainReaper?
| Feature | Traditional Scanners | ChainReaper |
|---|---|---|
| Analysis | Hardcoded rules + CVE matching | LLM reasons about attacks autonomously |
| Coverage | Known CVEs only | 13 attack vectors including zero-day patterns |
| Attack Chains | Individual alerts | Chains findings into multi-step exploitation paths |
| Verification | None | LLM validates every finding, scores exploitability |
| Code Inspection | Metadata only | Downloads and AST-parses actual package source |
| Confidence | Binary yes/no | Calibrated against CVE data + threat intel |
| Visualization | Text lists | Interactive D3.js attack graph (zoom, click, search) |
| SBOM | No | CycloneDX 1.5 with linked vulnerabilities |
| CI/CD | Basic | GitHub Action, GitLab CI, PR comments, SARIF upload |
13 Attack Vectors
| # | Vector | What It Detects | CWE |
|---|---|---|---|
| 1 | Dependency Confusion | Internal package names available on public registries | CWE-427 |
| 2 | Typosquatting | Package names suspiciously similar to popular packages | CWE-349 |
| 3 | Compromised Maintainer | Weak maintainer trust signals (no 2FA, inactive accounts) | CWE-522 |
| 4 | Build System Attacks | CI/CD pipeline poisoning (unpinned actions, secret exposure) | CWE-829 |
| 5 | Malicious Package | Suspicious metadata patterns (bot inflation, obfuscation) | CWE-506 |
| 6 | Install Script Attacks | Suspicious pre/post install hooks executing code | CWE-829 |
| 7 | Shadow Dependencies | Hidden risks in transitive dependency trees | CWE-1357 |
| 8 | Lockfile Manipulation | Manifest vs lockfile tampering, phantom dependencies | CWE-345 |
| 9 | Registry Spoofing | Misconfigured private/public registry mixing | CWE-346 |
| 10 | Abandoned Takeover | Dormant packages vulnerable to maintainer takeover | CWE-1104 |
| 11 | Source-Binary Mismatch | Published artifacts diverging from source code | CWE-345 |
| 12 | Protestware/Wiper | Conditional destructive behavior patterns | CWE-912 |
| 13 | Code Inspection | AST-parsed suspicious calls (eval, exec, subprocess, env access) | CWE-506 |
7 Ecosystems
| Ecosystem | Manifest Files | Lockfiles | Registry |
|---|---|---|---|
| npm | package.json | package-lock.json, yarn.lock | npmjs.com |
| PyPI | requirements.txt, pyproject.toml, setup.cfg | poetry.lock, Pipfile.lock | pypi.org |
| Maven | pom.xml, build.gradle | -- | search.maven.org |
| Go | go.mod | go.sum | proxy.golang.org |
| Cargo | Cargo.toml | Cargo.lock | crates.io |
| RubyGems | Gemfile | Gemfile.lock | rubygems.org |
| NuGet | *.csproj, packages.config | -- | nuget.org |
Quick Start
Install
pip install chainreaper
Or from source:
git clone https://github.com/BreachLine/chainreaper.git
cd chainreaper
pip install -e .
Set LLM API Key
export GEMINI_API_KEY="your-key" # Google (cheapest ~$0.01/scan)
export ANTHROPIC_API_KEY="your-key" # Anthropic Claude
export OPENAI_API_KEY="your-key" # OpenAI GPT
Scan
# Scan any project (auto-detects ecosystems)
chainreaper scan ./my-project
# Full output: JSON + SARIF + CycloneDX SBOM + HTML attack graph
chainreaper scan ./my-project --format json --format sarif --format cyclonedx --format html
# Choose LLM model + cost limit
chainreaper scan ./project --model gemini/gemini-2.5-flash --cost-limit 1.0
# Filter to specific ecosystems
chainreaper scan ./project --ecosystem npm --ecosystem pypi
# CI mode with policy enforcement
chainreaper scan . --ci --fail-on high --policy policy.yml --quiet
# Incremental scan (only changed deps since last scan)
chainreaper scan . --diff-only --baseline ./previous-results.json
# Scan a GitHub repo directly
chainreaper scan https://github.com/org/repo
# Scan a single package
chainreaper scan express@4.17.1
chainreaper scan requests==2.31.0
How It Works
Target -> Discovery -> CVE Scan -> Threat Intel -> Source Check
-> LLM Plan -> ReAct Analysis -> LLM Verify -> Calibrate
-> Attack Graph -> Report
Phase 1: DISCOVERY Auto-detect ecosystems, parse manifests + lockfiles
Phase 1b: CVE SCAN Query OSV.dev for every dependency (known vulnerabilities)
Phase 1b: THREAT INTEL Check OpenSSF malicious packages database (MAL- advisories)
Phase 1c: SOURCE CHECK Verify provenance (repo link, integrity hash, Sigstore)
Phase 2: LLM PLANNING AI plans attack strategy based on what it found so far
Phase 3: ReAct LOOP AI autonomously selects + runs 13 analyzers
Thought -> Action -> Observation -> Thought -> ...
Phase 4: LLM VERIFY AI validates each finding, scores exploitability, filters FPs
Phase 4b: CALIBRATE Ground LLM confidence against CVE/threat intel data
Phase 5: ATTACK GRAPH AI chains findings into multi-step attack paths
Phase 6: OUTPUT JSON, SARIF, CycloneDX SBOM, interactive HTML
Zero hardcoded rules. The LLM makes ALL decisions -- which analyzers to run, in what order, when to stop, how findings chain together, and which are real vs false positives.
Output Formats
| Format | Flag | Use Case |
|---|---|---|
| JSON | --format json |
Machine-readable results |
| SARIF | --format sarif |
GitHub Security tab integration |
| CycloneDX | --format cyclonedx |
SBOM for compliance (EO 14028) |
| HTML | --format html |
Interactive D3.js attack graph |
CI/CD Integration
GitHub Actions
# .github/workflows/security.yml
- uses: BreachLine/chainreaper@main
with:
target: "."
format: "sarif,json,cyclonedx"
fail-on: "high"
api-key: ${{ secrets.GEMINI_API_KEY }}
SARIF results automatically appear in the Security tab. PR comments summarize findings.
GitLab CI
include:
- remote: 'https://raw.githubusercontent.com/BreachLine/chainreaper/main/ci-templates/gitlab-ci.yml'
Policy Engine
Create .chainreaper-policy.yml:
fail_on: high
block_rules:
- name: block-critical-cves
severity: [critical]
- name: block-malicious
attack_vectors: [malicious_package]
allow_rules:
- name: accept-lodash-cves
packages: ["lodash"]
cve_ids: ["CVE-2020-28500"]
warn_rules:
- name: warn-medium
severity: [medium]
chainreaper scan . --ci --policy .chainreaper-policy.yml
CLI Reference
chainreaper scan <target> [OPTIONS] # Run supply chain security scan
chainreaper list [--all|--analyzers|--ecosystems|--formats]
chainreaper config [--init|--show|--validate|--path|--set KEY=VALUE]
chainreaper version
Scan Options
| Option | Description |
|---|---|
--format, -f |
Output: json, sarif, cyclonedx, html (repeatable) |
--output, -o |
Output directory |
--model, -m |
LLM model override |
--cost-limit |
Max LLM cost per scan ($) |
--ecosystem, -e |
Filter ecosystems (repeatable) |
--no-verify |
Skip LLM findings verification |
--ci |
CI mode (exit non-zero on findings) |
--fail-on |
Min severity to fail: critical/high/medium/low |
--policy |
Path to policy YAML file |
--baseline, -b |
Previous scan result for incremental diff |
--diff-only |
Only scan changed dependencies |
--max-iterations |
Max LLM reasoning iterations |
--verbose, -v |
Debug logging |
--quiet, -q |
Minimal output for CI |
Security
ChainReaper is a read-only analysis tool with defense-in-depth:
- All registry calls are GET-only with SSRF protection
- Package name validation per ecosystem before any API call
- Domain allowlists for package downloads (registry.npmjs.org, files.pythonhosted.org)
- Rate limiting (10 concurrent) on all registry requests
- LLM cost limits enforced per-scan with pre+post call checks
- Prompt injection defense (XML data tags + input sanitizer)
- Target path validation prevents directory traversal
- Registry tokens excluded from serialization
- HTTP redirects disabled on all clients
- Confidence calibration catches LLM hallucinations
Report vulnerabilities: security@breachline.io
Development
pip install -e ".[dev]"
pytest tests/ -v # 299 tests
ruff check src/ tests/ # Lint
ruff format src/ tests/ # Format
mypy src/ --ignore-missing-imports # Type check
Supported LLM Providers
Direct SDK integration (no LiteLLM dependency):
| Provider | Models | Env Variable |
|---|---|---|
| Google Gemini | gemini-2.5-flash, gemini-2.5-pro | GEMINI_API_KEY |
| Anthropic | claude-sonnet-4, claude-opus-4 | ANTHROPIC_API_KEY |
| OpenAI | gpt-4o, gpt-4o-mini | OPENAI_API_KEY |
Cheapest option: Gemini 2.5 Flash at ~$0.01/scan.
License
Apache License 2.0 -- see LICENSE
Built by Breachline Labs -- Autonomous AI Security
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
chainreaper-0.4.1.tar.gz
(128.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
chainreaper-0.4.1-py3-none-any.whl
(169.8 kB
view details)
File details
Details for the file chainreaper-0.4.1.tar.gz.
File metadata
- Download URL: chainreaper-0.4.1.tar.gz
- Upload date:
- Size: 128.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
af1df9366f0ed93b0d01d72c8ba843da0c7cf7be5e9180a7e06b5644571e8c68
|
|
| MD5 |
bf3742e2e86a6cab9c600dc647e02257
|
|
| BLAKE2b-256 |
f6a36db49e651663369d558375cd0596f2c133d0b413afbbee930d8252a8649b
|
File details
Details for the file chainreaper-0.4.1-py3-none-any.whl.
File metadata
- Download URL: chainreaper-0.4.1-py3-none-any.whl
- Upload date:
- Size: 169.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9137788033985e8ba40b2e2fd53c9011fe9c320cf64669b3c5788ea1eba0b23f
|
|
| MD5 |
d4744c4205caba5afbe96ed1d0fc2f45
|
|
| BLAKE2b-256 |
3990d104a6019bec1ed0a2a5227d0261c59e7fdfea5841c3b93daa3556d4c5c0
|
