step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 16:08:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Release v2.4.0 (#292)

Browse source
This commit is contained in:
Varun Sharma 2023-05-04 13:39:03 -07:00 committed by GitHub
commit 128a63446a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -15,11 +15,11 @@
---
Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
🔒 Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
1. Prevent exfiltration of credentials
2. Detect tampering of source code during build
3. Detect compromised dependencies and build tools
1. Prevent exfiltration of credentials 🔑
2. Detect tampering of source code during build 🕵️
3. Detect compromised dependencies and build tools 🚨
<p align="center">
@ -77,19 +77,20 @@ For details, check out the documentation at https://docs.stepsecurity.io
<img src="images/main-screenshot1.png" alt="Policy recommended by harden-runner">
</p>
### Restrict egress traffic to allowed endpoints
### 🚦 Restrict egress traffic to allowed endpoints
Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store)
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
- Blocks outbound traffic using IP tables
- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`.
<p align="left">
<img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" >
</p>
### Detect tampering of source code during build
### 🕵️ Detect tampering of source code during build
Harden-Runner monitors file writes and can detect if a file is overwritten.
@ -101,7 +102,7 @@ Harden-Runner monitors file writes and can detect if a file is overwritten.
<img src="images/fileoverwrite.png" alt="Policy recommended by harden-runner" >
</p>
### Run your job without sudo access
### 🚫 Run your job without sudo access
GitHub-hosted runner uses passwordless sudo for running jobs.
@ -110,7 +111,7 @@ GitHub-hosted runner uses passwordless sudo for running jobs.
recommendation to disable sudo in the insights page
- When you set `disable-sudo` to `true`, the job steps run without sudo access to the Ubuntu VM
### Get security alerts
### 🔔 Get security alerts
Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to get security alerts.

4
dist/pre/index.js vendored
View file

@ -69036,7 +69036,7 @@ function verifyChecksum(downloadPath) {
const checksum = external_crypto_.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum = "10fd5587cfeba6aac4125be78ee32f60d5e780de10929f454525670c4c16935d"; // checksum for v0.12.2
const expectedChecksum = "a1e79e4d7323a63a845c446b9a964a772b0ab7dff9fc94f8a1d10e901f2acde1"; // checksum for v0.13.2
if (checksum !== expectedChecksum) {
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
}
@ -69288,7 +69288,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
// Note: to avoid github rate limiting
let token = lib_core.getInput("token");
let auth = `token ${token}`;
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.12.2/agent_0.12.2_linux_amd64.tar.gz", undefined, auth);
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.2/agent_0.13.2_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = yield tool_cache.extractTar(downloadPath);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "step-security-harden-runner",
"version": "2.3.1",
"version": "2.4.0",
"description": "Security agent for GitHub-hosted runner to monitor the build process",
"main": "index.js",
"scripts": {

2
src/checksum.ts
View file

@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
.digest("hex"); // checksum of downloaded file
const expectedChecksum: string =
"10fd5587cfeba6aac4125be78ee32f60d5e780de10929f454525670c4c16935d"; // checksum for v0.12.2
"a1e79e4d7323a63a845c446b9a964a772b0ab7dff9fc94f8a1d10e901f2acde1"; // checksum for v0.13.2
if (checksum !== expectedChecksum) {
core.setFailed(

2
src/setup.ts
View file

@ -145,7 +145,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
let auth = `token ${token}`;
const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.12.2/agent_0.12.2_linux_amd64.tar.gz",
"https://github.com/step-security/agent/releases/download/v0.13.2/agent_0.13.2_linux_amd64.tar.gz",
undefined,
auth
);