From b0999453b19ef52c00eb7426519871e8f3b46e91 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Fri, 11 Mar 2022 00:57:52 +0530 Subject: [PATCH 1/6] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 0b2df66..4edf63b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,9 @@ # Security agent for Github-hosted runner Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies. +

+ Link in build log +

## Problem Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. There is also a risk that a compromised dependency or build tool may modify source code, dependencies, or artifacts during the build process. From 18b0d175340d49765f63efed2f7677cfee1b0b9f Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Fri, 11 Mar 2022 01:07:25 +0530 Subject: [PATCH 2/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4edf63b..75309cb 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

- Link in build log + Link in build log

## Problem From 59785a72b3abfae49fdffa33751049d70ea55588 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Fri, 11 Mar 2022 01:09:53 +0530 Subject: [PATCH 3/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 75309cb..844b9a4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

- Link in build log + Link in build log

## Problem From 01f224a0133f8d19571a284f199a479521a9f431 Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Fri, 11 Mar 2022 01:11:24 +0530 Subject: [PATCH 4/6] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 844b9a4..e47a93f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

- Link in build log + Link in build log

## Problem From 78ba77fe56e47a34d9d8660fb18a0c779855f6de Mon Sep 17 00:00:00 2001 From: arjundashrath <54043589+arjundashrath@users.noreply.github.com> Date: Fri, 11 Mar 2022 01:32:16 +0530 Subject: [PATCH 5/6] Update README.md --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e47a93f..bb346e6 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,16 @@ -# Security agent for Github-hosted runner +# Harden-Runner: The Security agent for Github-hosted runner Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

Link in build log

-## Problem +## Why use Harden-Runner? Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. There is also a risk that a compromised dependency or build tool may modify source code, dependencies, or artifacts during the build process. -## Solution +Harden-Runner is a first-of-its-kind technology that automatically correlates outbound traffic, file modifications, and process activity with each step of a workflow. You can also set a policy per job of a workflow to restrict outbound traffic. + +## Using Harden-Runner 1. Add `step-security/harden-runner` to your GitHub Actions workflow file as the first step in each job. In the pre step, the GitHub Actions installs a daemon that monitors process, file, and network activity. ```yaml @@ -38,7 +40,7 @@ Hijacked dependencies and compromised build tools typically make outbound reques When you use `egress-policy: block` mode, you can also set `disable-telemetry: true` to not send telemetry to the StepSecurity API. -## How past attacks would have been prevented +## How Harden-Runner mitigates threats? [Hands-on tutorials](https://github.com/step-security/supply-chain-goat) to learn how `harden-runner` would have prevented past software supply chain attacks. From c96be665793bef656d927146ca475b899140aa36 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 10 Mar 2022 13:14:27 -0800 Subject: [PATCH 6/6] Update README.md Minor change --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bb346e6..66a567c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -# Harden-Runner: The Security agent for Github-hosted runner +# Harden-Runner: Security agent for GitHub-hosted runner -Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies. +Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

Link in build log