step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 19:53:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into int

Browse source
This commit is contained in:
Varun Sharma 2023-11-27 11:31:33 -08:00
commit 655b6013ef
45 changed files with 88789 additions and 15129 deletions
Download patch file Download diff file Expand all files Collapse all files

33
.eslintrc.js Normal file
View file

@ -0,0 +1,33 @@
module.exports = {
"env": {
"browser": true,
"es2021": true
},
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/recommended"
],
"overrides": [
{
"env": {
"node": true
},
"files": [
".eslintrc.{js,cjs}"
],
"parserOptions": {
"sourceType": "script"
}
}
],
"parser": "@typescript-eslint/parser",
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module"
},
"plugins": [
"@typescript-eslint"
],
"rules": {
}
}

13
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,13 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
open-pull-requests-limit: 20
schedule:
interval: "daily"

43
.github/workflows/canary.yml vendored Normal file
View file

@ -0,0 +1,43 @@
name: Test a branch on canary
on:
workflow_dispatch:
inputs:
COMMIT_SHA:
description: 'Commit SHA to be tested'
required: true
env:
COMMIT_SHA: ${{ github.event.inputs.COMMIT_SHA }}
defaults:
run:
shell: pwsh
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
update_tag:
name: Update the rc tag to ${{ github.event.inputs.COMMIT_SHA }} commit
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit
allowed-endpoints:
api.github.com:443
github.com:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v2
- name: Update the rc tag
uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
with:
rc-sha: ${{ env.COMMIT_SHA }}
rc: true
- name: Canary test
uses: docker://ghcr.io/step-security/integration-test/int:latest
env:
PAT: ${{ secrets.PAT }}
canary: true

2
.github/workflows/code-review.yml vendored
View file

@ -11,7 +11,7 @@ jobs:
pull-requests: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block

16
.github/workflows/codeql-analysis.yml vendored
View file

@ -20,6 +20,9 @@ on:
schedule:
- cron: '17 0 * * 2'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
analyze:
name: Analyze
@ -37,12 +40,17 @@ jobs:
# Learn more about CodeQL language support at https://git.io/codeql-language-support
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@ -53,7 +61,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@ -67,4 +75,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a

27
.github/workflows/dependency-review.yml vendored Normal file
View file

@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3

24
.github/workflows/recurring-int-tests.yml vendored Normal file
View file

@ -0,0 +1,24 @@
name: Recurring INT tests
on:
workflow_dispatch:
schedule:
- cron: '0 */2 * * *' # every other hour
permissions:
contents: read
jobs:
int-tests:
name: int tests
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Canary test
uses: docker://ghcr.io/step-security/integration-test/int:latest
env:
PAT: ${{ secrets.PAT }}
canary: true

51
.github/workflows/release.yml vendored Normal file
View file

@ -0,0 +1,51 @@
name: Release new action version
on:
workflow_dispatch:
inputs:
TAG_NAME:
description: 'Tag name that the major tag will point to'
required: true
env:
TAG_NAME: ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }}
defaults:
run:
shell: pwsh
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs:
update_tag:
name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes
# Remember to configure the releaseNewActionVersion environment with required approvers in the repository settings
environment:
name: releaseNewActionVersion
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit
allowed-endpoints:
api.github.com:443
github.com:443
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Update the rc tag
uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
with:
source-tag: ${{ env.TAG_NAME }}
rc: true
- name: Canary test
uses: docker://ghcr.io/step-security/integration-test/int:latest
env:
PAT: ${{ secrets.PAT }}
canary: true
- name: Update the ${{ env.TAG_NAME }} tag
uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d
with:
source-tag: ${{ env.TAG_NAME }}

67
.github/workflows/scorecards.yml vendored Normal file
View file

@ -0,0 +1,67 @@
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: "30 1 * * 6"
push:
branches: [main, master]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Used to receive a badge. (Upcoming feature)
id-token: write
actions: read
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v3.0.0
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # tag=v1.1.1
with:
results_file: results.sarif
results_format: sarif
# (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecards on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # tag=v3.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v1.0.26
with:
sarif_file: results.sarif

37
.github/workflows/test.yml vendored Normal file
View file

@ -0,0 +1,37 @@
name: Test
on:
pull_request:
branches:
- main
push:
branches:
- main # to update code coverage
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
concurrency:
group: ${{ github.workflow }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: audit
allowed-endpoints: >
api.github.com:443
codecov.io:443
github.com:443
registry.npmjs.org:443
storage.googleapis.com:443
uploader.codecov.io:443
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Dependencies
run: npm ci
- name: Run coverage
run: npm test -- --coverage
- uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4

5
.gitignore vendored
View file

@ -101,4 +101,7 @@ typings/
.dynamodb/
# TernJS port file
.tern-port
.tern-port
# vscode files
.vscode

15
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,15 @@
exclude: ^dist/
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/pre-commit/mirrors-eslint
rev: v8.38.0
hooks:
- id: eslint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace

221
README.md
View file

@ -1,20 +1,219 @@
<p align="left">
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/Final-Logo-06.png" alt="Step Security Logo" width="340">
<p align="center">
<picture>
<source media="(prefers-color-scheme: light)" srcset="images/banner.png" width="400">
<img alt="Dark Banner" src="images/banner-dark.png" width="400">
</picture>
</p>
# Harden Runner
<div align="center">
This GitHub Action deploys the [Step Security Agent](https://github.com/step-security/agent), which is a purpose-built security agent for hosted runners.
[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=harden-runner)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/harden-runner)
[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://raw.githubusercontent.com/step-security/harden-runner/main/LICENSE)
To pilot this GitHub Action, add the following code to your GitHub Actions workflow file as the first step. This is the only step needed.
</div>
```
steps:
- uses: step-security/harden-runner@main
```
## GitHub Actions Runtime Security
In the workflow logs, you should see a link to security insights and recommendations.
Harden-Runner provides runtime security for GitHub-hosted and self-hosted environments.
It is being piloted on [this](https://github.com/shivammathur/setup-php) repository. Check out the [workflow files](https://github.com/shivammathur/setup-php/blob/2f5c2edb229fb5b3dcaeb535cb83899b41854672/.github/workflows/node-workflow.yml#L30) and [workflow runs](https://github.com/shivammathur/setup-php/runs/4252355681?check_suite_focus=true#step:3:4).
For self-hosted environments, Harden-Runner supports:
1. Kubernetes runners setup using Actions Runner Controller (ARC)
2. Virtual Machine runners (e.g. on EC2) - both ephemeral and persistent runners are supported
[![Harden Runner Demo](images/RuntimeSecurityDemo.gif)](https://youtu.be/fpdwX5hYACo)
## Explore open source projects using Harden-Runner
| [![CISA](https://avatars.githubusercontent.com/u/18539691?s=60&v=4)](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/6199340224) | [![Microsoft](https://avatars.githubusercontent.com/u/6154722?s=60&v=4)](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/5559160177) | [![Google](https://avatars.githubusercontent.com/u/2810941?s=60&v=4)](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/5546354505) | [![DataDog](https://avatars.githubusercontent.com/u/365230?s=60&v=4)](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/5387101451) | [![Intel](https://avatars.githubusercontent.com/u/17888862?s=60&v=4)](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/5579910614) | [![Kubernetes](https://avatars.githubusercontent.com/u/36015203?s=60&v=4)](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/5581511101) | [![Node.js](https://avatars.githubusercontent.com/u/9950313?s=60&v=4)](https://app.stepsecurity.io/github/nodejs/node/actions/runs/5563468674) | [![Mastercard](https://avatars.githubusercontent.com/u/1653148?s=60&v=4)](https://app.stepsecurity.io/github/Mastercard/flow/actions/runs/5542112873) |
| --------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| **CISA**<br>[Explore](https://app.stepsecurity.io/github/cisagov/skeleton-generic/actions/runs/6199340224) | **Microsoft**<br>[Explore](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/5559160177) | **Google**<br>[Explore](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/5546354505) | **DataDog**<br>[Explore](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/5387101451) | **Intel**<br>[Explore](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/5579910614) | **Kubernetes**<br>[Explore](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/5581511101) | **Node.js**<br>[Explore](https://app.stepsecurity.io/github/nodejs/node/actions/runs/5563468674) | **Mastercard**<br>[Explore](https://app.stepsecurity.io/github/Mastercard/flow/actions/runs/5542112873) |
## Hands-On Tutorials
You can use [GitHub Actions Goat](https://github.com/step-security/github-actions-goat) to try Harden-Runner. You only need a GitHub Account and a web browser.
Hands-on Tutorials for GitHub Actions Runtime Security:
1. [Filter Egress Network Traffic](https://github.com/step-security/github-actions-goat/blob/main/docs/Solutions/RestrictOutboundTraffic.md)
2. [Detect File Tampering](https://github.com/step-security/github-actions-goat/blob/main/docs/Solutions/MonitorSourceCode.md)
## Why
Compromised workflows, dependencies, and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build.
Harden-Runner monitors process, file, and network activity to:
| | Countermeasure | Prevent Security Breach |
| --- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1. | Block egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials | To prevent [Codecov breach](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md) scenario |
| 2. | Detect if source code is being tampered during the build process to inject a backdoor | To detect [SolarWinds incident](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/TamperingDuringBuild.md) scenario |
| 3. | Detect poisoned workflows and compromised dependencies | To detect [Dependency confusion](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md#dependency-confusion-attacks) and [Malicious dependencies](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md#compromised-dependencies) |
Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in-github-actions-7b93a9985635) on how Harden-Runner detected malicious packages in the NPM registry.
## How
### GitHub-Hosted Runners
1. Add `step-security/harden-runner` GitHub Action to your GitHub Actions workflow file as the first step in each job.
```yaml
steps:
- uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
```
2. In the workflow logs and the job markdown summary, you will see a link to security insights and recommendations.
<p align="left">
<img src="images/buildlog1.png" alt="Link in build log" >
</p>
3. Click on the link ([example link](https://app.stepsecurity.io/github/microsoft/msquic/actions/runs/5577342236)). You will see a process monitor view of network and file events correlated with each step of the job.
<p align="left">
<img src="images/insights-5.png" alt="Insights from harden-runner" >
</p>
4. Under the insights section, you'll find a Recommended Policy. You can either update your workflow file with this Policy, or alternatively, use the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) to apply the policy without modifying the workflow file.
<p align="left">
<img src="images/rec-policy1.png" alt="Policy recommended by harden-runner" >
</p>
### Self-Hosted Actions Runner Controller (ARC) Runners
> Explore demo workflows using self-hosted ARC Runner and ARC Harden-Runner [here](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security-arc).
Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.
- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the ARC Harden-Runner daemonset on your Kubernetes cluster.
- Upon installation, the ARC Harden-Runner daemonset constantly monitors each workflow run; you do NOT need to add the Harden-Runner GitHub Action to each job for `audit` mode. You do need to add the Harden-Runner GitHub Action for `block` mode.
- You can access security insights and runtime detections under the `Runtime Security` tab in your dashboard.
### Self-Hosted VM Runners (e.g. on EC2)
> Explore demo workflows using self-hosted VM Runners and Harden-Runner [here](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security-vm).
- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer.
- The Harden-Runner agent monitors each job run on the VM, both ephemeral and persistent runners are supported; you do NOT need to add the Harden-Runner GitHub Action to each job for `audit` mode. You do need to add the Harden-Runner GitHub Action for `block` mode.
- You can access security insights and runtime detections under the `Runtime Security` tab in your dashboard.
## Support for Self-Hosted Runners and Private Repositories
Runtime security for self-hosted runners and private repositories are supported with a commercial license. Check out the [documentation](https://docs.stepsecurity.io/stepsecurity-platform/billing) for more details.
- Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to use Harden-Runner GitHub Action for `Private` repositories.
- If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
- You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.
Read this [case study on how Kapiche uses Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their private repositories.
## Features at a glance
For details, check out the documentation at https://docs.stepsecurity.io
### 👀 Monitor egress traffic
> Applies to both GitHub-hosted and self-hosted runners
Harden-Runner monitors all outbound traffic from each job at the DNS and network layers
- After the workflow completes, each outbound call is correlated with each step of the job, and shown in the insights page
- For self-hosted runners, no changes are needed to workflow files to monitor egress traffic
- A filtering (block) egress policy is suggested in the insights page based on past job runs
### 🚦 Filter egress traffic to allowed endpoints
> Applies to both GitHub-hosted and self-hosted runners
Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store)
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4)
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`
<p align="left">
<img src="images/blocked-outbound-call-2.png" alt="Policy recommended by harden-runner" >
</p>
### 📁 Detect tampering of source code during build
> Applies to both GitHub-hosted and self-hosted runners
Harden-Runner monitors file writes and can detect if a file is overwritten.
- Source code overwrite is not expected in a release build
- All source code files are monitored, which means even changes to IaC files (Kubernetes manifest, Terraform) are detected
- You can enable notifications to get one-time alert when source code is overwritten
- For self-hosted runners, no changes are needed to workflow files for file monitoring
<p align="left">
<img src="images/file-overwritten.png" alt="Policy recommended by harden-runner" >
</p>
### 🚫 Run your job without sudo access
> Applies to GitHub-hosted runners
GitHub-hosted runner uses passwordless sudo for running jobs.
- This means compromised build tools or dependencies can install attack tools
- If your job does not need sudo access, you see a policy
recommendation to disable sudo in the insights page
- When you set `disable-sudo` to `true`, the job steps run without sudo access to the GitHub-hosted Ubuntu VM
### 🔔 Get security alerts
> Applies to both GitHub-hosted and self-hosted runners
Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to get security alerts.
- Email and Slack notifications are supported
- Notifications are sent when outbound traffic is blocked or source code is overwritten
- Notifications are not repeated for the same alert for a given workflow
## Discussions
- If you have questions or ideas, please use [discussions](https://github.com/step-security/harden-runner/discussions).
- For support for self-hosted runners and private repositories, email support@stepsecurity.io.
- If you use a different CI/CD Provider (e.g. Jenkins, Gitlab CI, etc), and would like to use Harden Runner in your environment, please email interest@stepsecurity.io
## How does it work?
### GitHub-Hosted Runners
For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
- The code to monitor file, process, and network activity is in the Agent.
- The agent is written in Go and is open source at https://github.com/step-security/agent
- The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest)
### Self-Hosted Actions Runner Controller (ARC) Runners
- ARC Harden Runner daemonset uses eBPF
- You can find more details in this blog post: https://www.stepsecurity.io/blog/introducing-harden-runner-for-kubernetes-based-self-hosted-actions-runners
- ARC Harden Runner is NOT open source.
### Self-Hosted VM Runners (e.g. on EC2)
- For self-hosted VMs, you add the Harden-Runner agent into your runner image (e.g. AMI).
- Agent for self-hosted VMs is NOT open source.
## Limitations
### GitHub-Hosted Runners
1. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
2. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`. Note: This is not a limitation for Self-Hosted runners.
### Self-Hosted Actions Runner Controller (ARC) Runners
1. Since ARC Harden Runner uses eBPF, only Linux jobs are supported. Windows and MacOS jobs are not supported.
### Self-Hosted VM Runners (e.g. on EC2)
1. Only Ubuntu VM is supported. Windows and MacOS jobs are not supported.

18
action.yml
View file

@ -1,5 +1,5 @@
name: "Harden Runner"
description: "GitHub Actions Runtime Security"
name: "Harden-Runner"
description: "Harden-Runner provides runtime security for GitHub-hosted and self-hosted runners"
inputs:
allowed-endpoints:
description: "Only these endpoints will be allowed if egress-policy is set to block"
@ -9,6 +9,13 @@ inputs:
description: "Policy for outbound traffic, can be either audit or block"
required: false
default: "block"
token:
description: "Used to avoid github rate limiting"
default: ${{ github.token }}
disable-telemetry:
description: "Disable sending telemetry to StepSecurity API, can be set to true or false. This can only be set to true when egress-policy is set to block"
required: false
default: "false"
disable-sudo:
description: "Disable sudo access for the runner account"
required: false
@ -17,11 +24,16 @@ inputs:
description: "Disable file monitoring"
required: false
default: "false"
policy:
description: "Policy name to be used from the policy store"
required: false
default: ""
branding:
icon: "check-square"
color: "green"
runs:
using: "node12"
using: "node16"
pre: "dist/pre/index.js"
main: "dist/index.js"
post: "dist/post/index.js"

3036
dist/index.js vendored
View file

File diff suppressed because it is too large Load diff

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

1966
dist/post/index.js vendored
View file

File diff suppressed because it is too large Load diff

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

1
dist/pre/cache.txt vendored Normal file
View file

@ -0,0 +1 @@
# This is sample cache file

66513
dist/pre/index.js vendored
View file

File diff suppressed because one or more lines are too long

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

BIN
images/RuntimeSecurityDemo.gif Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 3.9 MiB

BIN
images/banner-dark.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
images/banner.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
images/blocked-outbound-call-2.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
images/buildlog1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
images/file-overwritten.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
images/insights-5.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
images/rec-policy1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 57 KiB

5
jest.config.ts Normal file
View file

@ -0,0 +1,5 @@
/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
export default {
preset: 'ts-jest',
testEnvironment: 'node',
};

18508
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

53
package.json
View file

@ -1,4 +1,5 @@
{
<<<<<<< HEAD
"name": "step-security-harden-runner",
"version": "0.1.0",
"description": "GitHub Actions Runtime Security",
@ -42,4 +43,56 @@
"ts-jest": "^26.5.6",
"typescript": "^4.3.5"
}
=======
"name": "step-security-harden-runner",
"version": "2.6.1",
"description": "Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches",
"main": "index.js",
"scripts": {
"build": "npm run main && npm run pre && npm run post",
"main": "ncc build src/index.ts --source-map",
"pre": "ncc build src/setup.ts --source-map -o dist/pre",
"post": "ncc build src/cleanup.ts --source-map -o dist/post",
"lint": "eslint src/**/*.ts",
"test": "jest"
},
"repository": {
"type": "git",
"url": "git+https://github.com/step-security/harden-runner.git"
},
"keywords": [],
"author": "Varun Sharma",
"license": "Apache License 2.0",
"bugs": {
"url": "https://github.com/step-security/harden-runner/issues"
},
"homepage": "https://github.com/step-security/harden-runner#readme",
"dependencies": {
"@actions/cache": "^3.1.4",
"@actions/core": "^1.5.0",
"@actions/exec": "^1.1.0",
"@actions/github": "^5.0.0",
"@actions/http-client": "^2.0.1",
"@actions/tool-cache": "^1.7.1",
"ansi-regex": ">=5.0.1",
"is-docker": "^3.0.0",
"node-fetch": ">=3.2.0",
"uuid": "^8.3.2"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^6.1.0",
"@typescript-eslint/parser": "^6.1.0",
"@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0",
"eslint-config-google": "^0.14.0",
"jest": "^29.3.1",
"jest-junit": ">=13.0.0",
"nock": "^13.3.0",
"ts-jest": "^29.0.3",
"ts-node": "^10.9.1",
"typescript": "^4.3.5"
}
>>>>>>> main
}

20
src/arc-runner.test.ts Normal file
View file

@ -0,0 +1,20 @@
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
it("should correctly recognize arc based runner", async () => {
process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"] =
"actions-runner-controller/2.0.1";
let isArc: boolean = await isArcRunner();
expect(isArc).toBe(true);
});
it("should write endpoint files", ()=>{
process.env["isTest"] = "1"
let allowed_endpoints = ["github.com:443", "*.google.com:443", "youtube.com"].join(" ");
sendAllowedEndpoints(allowed_endpoints);
})

62
src/arc-runner.ts Normal file
View file

@ -0,0 +1,62 @@
import * as cp from "child_process";
import * as fs from "fs";
import { sleep } from "./setup";
export function isArcRunner(): boolean {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
let isARC = false;
if (!runnerUserAgent) {
isARC = false;
} else {
isARC = runnerUserAgent.includes("actions-runner-controller/");
}
return isARC || isSecondaryPod();
}
function isSecondaryPod(): boolean {
const workDir = "/__w";
return fs.existsSync(workDir);
}
function getRunnerTempDir(): string {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
export function sendAllowedEndpoints(endpoints: string): void {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(
`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`
);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count: number): void {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
export function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
export function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}

22
src/cache.ts Normal file
View file

@ -0,0 +1,22 @@
export const cacheKey = "harden-runner-cacheKey";
export const cacheFile = "/home/agent/cache.txt";
export interface ArtifactCacheEntry {
cacheKey?: string;
scope?: string;
creationTime?: string;
archiveLocation?: string;
}
export enum CompressionMethod {
Gzip = "gzip",
// Long range mode was added to zstd in v1.3.2.
// This enum is for earlier version of zstd that does not have --long support
ZstdWithoutLong = "zstd-without-long",
Zstd = "zstd",
}
// Refer: https://github.com/actions/cache/blob/12681847c623a9274356751fdf0a63576ff3f846/src/utils/actionUtils.ts#L53
const RefKey = "GITHUB_REF";
export function isValidEvent(): boolean {
return RefKey in process.env && Boolean(process.env[RefKey]);
}

22
src/checksum.ts Normal file
View file

@ -0,0 +1,22 @@
import * as core from "@actions/core";
import * as crypto from "crypto";
import * as fs from "fs";
export function verifyChecksum(downloadPath: string) {
const fileBuffer: Buffer = fs.readFileSync(downloadPath);
const checksum: string = crypto
.createHash("sha256")
.update(fileBuffer)
.digest("hex"); // checksum of downloaded file
const expectedChecksum: string =
"ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
if (checksum !== expectedChecksum) {
core.setFailed(
`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`
);
}
core.debug("Checksum verification passed.");
}

63
src/cleanup.ts
View file

@ -1,9 +1,39 @@
import * as fs from "fs";
<<<<<<< HEAD
import * as core from "@actions/core";
=======
import * as cp from "child_process";
import * as common from "./common";
import isDocker from "is-docker";
import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
>>>>>>> main
(async () => {
if (process.platform !== "linux") {
console.log("Only runs on linux");
console.log(common.UBUNTU_MESSAGE);
return;
}
if (isDocker()) {
console.log(common.CONTAINER_MESSAGE);
return;
}
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if (process.env.STATE_selfHosted === "true") {
return;
}
if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
@ -12,8 +42,8 @@ import * as core from "@actions/core";
JSON.stringify({ event: "post" })
);
var doneFile = "/home/agent/done.json";
var counter = 0;
const doneFile = "/home/agent/done.json";
let counter = 0;
while (true) {
if (!fs.existsSync(doneFile)) {
counter++;
@ -29,10 +59,13 @@ import * as core from "@actions/core";
}
}
var log = "/home/agent/agent.log";
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
const log = "/home/agent/agent.log";
if (fs.existsSync(log)) {
console.log("log:");
var content = fs.readFileSync(log, "utf-8");
console.log(content);
}
var status = "/home/agent/agent.status";
if (fs.existsSync(status)) {
console.log("status:");
@ -40,6 +73,7 @@ import * as core from "@actions/core";
console.log(content);
}
<<<<<<< HEAD
// write annotations
var annotationsFile = "/home/agent/annotation.log";
if (fs.existsSync(annotationsFile)) {
@ -47,6 +81,21 @@ import * as core from "@actions/core";
content.split(/\r?\n/).forEach((line) => {
core.error(line);
});
=======
var disable_sudo = process.env.STATE_disableSudo;
if (disable_sudo !== "true") {
var journalLog = cp.execSync("sudo journalctl -u agent.service", {
encoding: "utf8",
});
console.log("Service log:");
console.log(journalLog);
}
try {
await common.addSummary();
} catch (exception) {
console.log(exception);
>>>>>>> main
}
})();

28
src/common.test.ts Normal file
View file

@ -0,0 +1,28 @@
import { processLogLine } from "./common"; // import the function
describe("processLogLine function", () => {
it("correctly processes the log line and adds an entry to the array", () => {
const tableEntries: {
pid: string;
process: string;
domain: string;
ipAddress: string;
status: string;
}[] = [];
const logLine =
"Thu, 15 Jun 2023 05:35:29 GMT:endpoint called ip address:port 104.16.24.35:443, domain: registry.npmjs.org., pid: 2135, process: node.";
processLogLine(logLine, tableEntries);
// Check if a single entry is added to the array
expect(tableEntries.length).toBe(1);
// Check if the entry's properties are set correctly
const entry = tableEntries[0];
expect(entry.pid).toBe("2135");
expect(entry.process).toBe("node");
expect(entry.domain).toBe("registry.npmjs.org.");
expect(entry.ipAddress).toBe("104.16.24.35:443");
expect(entry.status).toBe("✅ Allowed"); // Since the IP address is not '54.185.253.63', status should be '✔️ Allowed'
});
});

175
src/common.ts Normal file
View file

@ -0,0 +1,175 @@
import * as core from "@actions/core";
import * as fs from "fs";
export function printInfo(web_url) {
console.log(
"\x1b[32m%s\x1b[0m",
"View security insights and recommended policy at:"
);
console.log(
`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`
);
}
export const processLogLine = (
line: string,
tableEntries: {
pid: string;
process: string;
domain: string;
ipAddress: string;
status: string;
}[]
): void => {
if (
line.includes("pid") &&
line.includes("process") &&
line.includes("domain") &&
line.includes("ip address")
) {
const matches = line.match(
/ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/
);
if (matches) {
const [ipAddress, domain, pid, process] = matches.slice(1);
// Check if all values are non-empty
if (pid && process && domain && ipAddress) {
const status = ipAddress.startsWith("54.185.253.63")
? "❌ Blocked"
: "✅ Allowed";
tableEntries.push({ pid, process, domain, ipAddress, status });
}
}
}
};
export async function addSummary() {
if (process.env.STATE_monitorStatusCode !== "200") {
return;
}
const web_url = "https://app.stepsecurity.io";
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!fs.existsSync(log)) {
return;
}
let needsSubscription = false;
try {
let data = fs.readFileSync("/home/agent/annotation.log", "utf8");
if (data.includes("StepSecurity Harden Runner is disabled")) {
needsSubscription = true;
}
} catch (err) {
//console.error(err);
}
if (needsSubscription) {
await core.summary
.addSeparator()
.addRaw(
`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`
);
await core.summary
.addRaw(
`
<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`
)
.addSeparator()
.write();
return;
}
const content = fs.readFileSync(log, "utf-8");
const lines = content.split("\n");
let tableEntries = [];
for (const line of lines) {
processLogLine(line, tableEntries);
}
if (tableEntries.length === 0) {
return;
}
const insightsRow = `<p><b><a href="${insights_url}">📄 View Full Report</a></b></p>`;
await core.summary.addSeparator().addRaw(`<h2>🛡 StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
} else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
return 1;
} else {
return 0;
}
});
tableEntries = tableEntries.slice(0, 3);
await core.summary.addRaw(`
<blockquote>
<p>Preview of the outbound network calls during this workflow run.</p></blockquote>
<h3>Network Calls</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
<tbody>
${tableEntries
.map(
(entry) => `<tr>
<td><code>${entry.process}</code></td>
<td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td>
</tr>`
)
.join("")}
<tr>
<td><code>...</code></td>
<td><code>...</code></td>
<td><code>...</code></td>
</tr>
</tbody>
</table>
${insightsRow}
`);
await core.summary
.addRaw(
`<p><i>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.</i></p>`
)
.addSeparator()
.write();
}
export const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
export const CONTAINER_MESSAGE =
"This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
export const UBUNTU_MESSAGE =
"This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
export const SELF_HOSTED_NO_AGENT_MESSAGE =
"This job is running on a self-hosted runner, but the runner does not have Harden-Runner installed. This job will not be monitored.";
export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
export const ARC_RUNNER_MESSAGE =
"Workflow is currently being executed in ARC based runner";

32
src/index.ts
View file

@ -1,12 +1,34 @@
import * as common from "./common";
import * as core from "@actions/core";
import isDocker from "is-docker";
(async () => {
if (process.platform !== "linux") {
console.log("Only runs on linux");
console.log(common.UBUNTU_MESSAGE);
return;
}
if (isDocker()) {
console.log(common.CONTAINER_MESSAGE);
return;
}
var web_url = "https://int1.stepsecurity.io";
if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
console.log(
`View security insights and recommended policy at ${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`
);
if (
core.getBooleanInput("disable-telemetry") &&
core.getInput("egress-policy") === "block"
) {
console.log(
"Telemetry will not be sent to StepSecurity API as disable-telemetry is set to true"
);
} else {
var web_url = "https://app.stepsecurity.io";
common.printInfo(web_url);
}
})();

23
src/interfaces.ts Normal file
View file

@ -0,0 +1,23 @@
export interface Configuration {
repo: string;
run_id: string;
correlation_id: string;
working_directory: string;
api_url: string;
allowed_endpoints: string;
egress_policy: string;
disable_telemetry: boolean;
disable_sudo: boolean;
disable_file_monitoring: boolean;
private: string;
}
export interface PolicyResponse {
owner?: string;
policyName?: string;
allowed_endpoints?: string[];
disable_sudo?: boolean;
disable_file_monitoring?: boolean;
disable_telemetry?: boolean;
egress_policy?: string;
}

67
src/policy-utils.test.ts Normal file
View file

@ -0,0 +1,67 @@
import nock from "nock";
import { API_ENDPOINT, fetchPolicy, mergeConfigs } from "./policy-utils";
import { Configuration, PolicyResponse } from "./interfaces";
test("success: fetching policy", async () => {
let owner = "h0x0er";
let policyName = "policy1";
let response = {
owner: "h0x0er",
policyName: "policy1",
allowed_endpoints: ["github.com:443"],
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
};
const policyScope = nock(`${API_ENDPOINT}`)
.get(`/github/${owner}/actions/policies/${policyName}`)
.reply(200, response);
let idToken = "xyz";
let policy = await fetchPolicy(owner, policyName, idToken);
console.log(policy);
expect(policy).toStrictEqual(response);
});
test("merge configs", async () => {
let localConfig: Configuration = {
repo: "test/repo",
run_id: "xyx",
correlation_id: "aaaaa",
working_directory: "/xyz",
api_url: "xyz",
allowed_endpoints: "",
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
private: "true",
};
let policyResponse: PolicyResponse = {
owner: "h0x0er",
policyName: "policy1",
allowed_endpoints: ["github.com:443", "google.com:443"],
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
};
let expectedConfiguration: Configuration = {
repo: "test/repo",
run_id: "xyx",
correlation_id: "aaaaa",
working_directory: "/xyz",
api_url: "xyz",
allowed_endpoints: "github.com:443 google.com:443",
egress_policy: "audit",
disable_telemetry: false,
disable_sudo: false,
disable_file_monitoring: false,
private: "true",
};
localConfig = mergeConfigs(localConfig, policyResponse);
expect(localConfig).toStrictEqual(expectedConfiguration);
});

75
src/policy-utils.ts Normal file
View file

@ -0,0 +1,75 @@
import { HttpClient } from "@actions/http-client";
import { PolicyResponse, Configuration } from "./interfaces";
export const API_ENDPOINT = "https://agent.api.stepsecurity.io/v1";
export async function fetchPolicy(
owner: string,
policyName: string,
idToken: string
): Promise<PolicyResponse> {
if (idToken === "") {
throw new Error("[PolicyFetch]: id-token in empty");
}
let policyEndpoint = `${API_ENDPOINT}/github/${owner}/actions/policies/${policyName}`;
let httpClient = new HttpClient();
let headers = {};
headers["Authorization"] = `Bearer ${idToken}`;
headers["Source"] = "github-actions";
let response = undefined;
let err = undefined;
let retry = 0;
while(retry < 3){
try{
console.log(`Attempt: ${retry+1}`)
response = await httpClient.getJson<PolicyResponse>(
policyEndpoint,
headers
);
break;
}catch(e){
err = e
}
retry += 1
await sleep(1000);
}
if(response === undefined && err !== undefined){
throw new Error(`[Policy Fetch] ${err}`)
}else{
return response.result;
}
}
export function mergeConfigs(
localConfig: Configuration,
remoteConfig: PolicyResponse
) {
if (localConfig.allowed_endpoints === "") {
localConfig.allowed_endpoints = remoteConfig.allowed_endpoints.join(" ");
}
if (remoteConfig.disable_sudo !== undefined) {
localConfig.disable_sudo = remoteConfig.disable_sudo;
}
if (remoteConfig.disable_file_monitoring !== undefined) {
localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
}
if (remoteConfig.egress_policy !== undefined) {
localConfig.egress_policy = remoteConfig.egress_policy;
}
return localConfig;
}
function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}

295
src/setup.ts
View file

@ -1,25 +1,54 @@
import * as core from "@actions/core";
<<<<<<< HEAD
import { context } from "@actions/github";
=======
>>>>>>> main
import * as cp from "child_process";
import * as fs from "fs";
import * as https from "https";
import * as httpm from "@actions/http-client";
import * as path from "path";
import { v4 as uuidv4 } from "uuid";
<<<<<<< HEAD
import * as httpm from "@actions/http-client";
=======
import * as common from "./common";
import * as tc from "@actions/tool-cache";
import { verifyChecksum } from "./checksum";
import isDocker from "is-docker";
import { context } from "@actions/github";
import { EOL } from "os";
import {
ArtifactCacheEntry,
cacheKey,
cacheFile,
CompressionMethod,
isValidEvent,
} from "./cache";
import { Configuration, PolicyResponse } from "./interfaces";
import { fetchPolicy, mergeConfigs } from "./policy-utils";
import * as cache from "@actions/cache";
import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
import * as utils from "@actions/cache/lib/internal/cacheUtils";
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
>>>>>>> main
(async () => {
try {
if (process.platform !== "linux") {
console.log("Only runs on linux");
console.log(common.UBUNTU_MESSAGE);
return;
}
if (isDocker()) {
console.log(common.CONTAINER_MESSAGE);
return;
}
var correlation_id = uuidv4();
var env = "int";
var env = "agent";
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://int1.stepsecurity.io";
var web_url = "https://app.stepsecurity.io";
const confg = {
let confg: Configuration = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
correlation_id: correlation_id,
@ -27,6 +56,7 @@ import * as httpm from "@actions/http-client";
api_url: api_url,
allowed_endpoints: core.getInput("allowed-endpoints"),
egress_policy: core.getInput("egress-policy"),
<<<<<<< HEAD
disable_sudo: core.getBooleanInput("disable-sudo"),
disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
private: context.payload.repository.private,
@ -36,76 +66,215 @@ import * as httpm from "@actions/http-client";
await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
=======
disable_telemetry: core.getBooleanInput("disable-telemetry"),
disable_sudo: core.getBooleanInput("disable-sudo"),
disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
private: context?.payload?.repository?.private || false,
};
let policyName = core.getInput("policy");
if (policyName !== "") {
console.log(`Fetching policy from API with name: ${policyName}`);
try {
let idToken: string = await core.getIDToken();
let result: PolicyResponse = await fetchPolicy(
context.repo.owner,
policyName,
idToken
);
confg = mergeConfigs(confg, result);
} catch (err) {
core.info(`[!] ${err}`);
core.setFailed(err);
}
}
fs.appendFileSync(
process.env.GITHUB_STATE,
`disableSudo=${confg.disable_sudo}${EOL}`,
{
encoding: "utf8",
}
);
core.info(`[!] Current Configuration: \n${JSON.stringify(confg)}\n`);
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
core.setFailed("egress-policy must be either audit or block");
}
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
core.warning(
"egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps."
);
}
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
core.setFailed("disable-telemetry must be a boolean value");
}
if (isValidEvent() && confg.egress_policy === "block") {
try {
const cacheResult = await cache.saveCache(
[path.join(__dirname, "cache.txt")],
cacheKey
);
console.log(cacheResult);
} catch (exception) {
console.log(exception);
}
try {
const compressionMethod: CompressionMethod =
await utils.getCompressionMethod();
const cacheFilePath = path.join(__dirname, "cache.txt");
core.info(`cacheFilePath ${cacheFilePath}`);
const cacheEntry: ArtifactCacheEntry = await getCacheEntry(
[cacheKey],
[cacheFilePath],
{
compressionMethod: compressionMethod,
}
);
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
common.printInfo(web_url);
}
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
await sleep(10000);
}
return;
}
const runnerName = process.env.RUNNER_NAME || "";
core.info(`RUNNER_NAME: ${runnerName}`);
if (!runnerName.startsWith("GitHub Actions")) {
fs.appendFileSync(process.env.GITHUB_STATE, `selfHosted=true${EOL}`, {
encoding: "utf8",
});
if (!fs.existsSync("/home/agent/agent")) {
core.info(common.SELF_HOSTED_NO_AGENT_MESSAGE);
return;
}
if (confg.egress_policy === "block") {
try {
if (process.env.USER) {
cp.execSync(`sudo chown -R ${process.env.USER} /home/agent`);
}
const confgStr = JSON.stringify(confg);
fs.writeFileSync("/home/agent/block_event.json", confgStr);
await sleep(5000);
} catch (error) {
core.info(`[!] Unable to write block_event.json: ${error}`);
}
}
return;
}
let _http = new httpm.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
const resp: httpm.HttpClientResponse = await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
fs.appendFileSync(
process.env.GITHUB_STATE,
`monitorStatusCode=${statusCode}${EOL}`,
{
encoding: "utf8",
}
);
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
>>>>>>> main
const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
const filename = path.join(__dirname, "agent");
https.get(
`https://step-security-agent.s3.us-west-2.amazonaws.com/refs/heads/${env}/agent`,
(res) => {
const filePath = fs.createWriteStream(filename);
res.pipe(filePath);
filePath
.on("error", (err) => {})
.on("finish", async () => {
filePath.close();
// Note: to avoid github rate limiting
let token = core.getInput("token");
let auth = `token ${token}`;
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
console.log(
`View security insights and recommended policy at ${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`
);
let cmd = "cp",
args = [path.join(__dirname, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", confgStr);
cmd = "sudo";
args = [
"cp",
path.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
cp.execFileSync(cmd, args);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
});
}
const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.13.5/agent_0.13.5_linux_amd64.tar.gz",
undefined,
auth
);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = await tc.extractTar(downloadPath);
let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
cp.execSync("chmod +x /home/agent/agent");
fs.writeFileSync("/home/agent/agent.json", confgStr);
cmd = "sudo";
args = [
"cp",
path.join(__dirname, "agent.service"),
"/etc/systemd/system/agent.service",
];
cp.execFileSync(cmd, args);
cp.execSync("sudo systemctl daemon-reload");
cp.execSync("sudo service agent start", { timeout: 15000 });
// Check that the file exists locally
var statusFile = "/home/agent/agent.status";
var logFile = "/home/agent/agent.log";
var counter = 0;
while (true) {
if (!fs.existsSync(statusFile)) {
counter++;
if (counter > 30) {
console.log("timed out");
if (fs.existsSync(logFile)) {
var content = fs.readFileSync(logFile, "utf-8");
console.log(content);
}
break;
}
await sleep(300);
} // The file *does* exist
else {
// Read the file
var content = fs.readFileSync(statusFile, "utf-8");
console.log(content);
break;
}
}
} catch (error) {
core.setFailed(error.message);
}
})();
function sleep(ms) {
export function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});

2
tsconfig.json
View file

@ -14,4 +14,4 @@
"exclude": [
"src/**/*.test.ts"
]
}
}