mirror of
https://github.com/step-security/harden-runner.git
synced 2026-06-08 04:47:06 +00:00
Varun Sharma
GitHub
commit
74b568e859
5 changed files with 42 additions and 23 deletions
55
README.md
55
README.md
|
|
@ -1,12 +1,18 @@
|
|||
<picture>
|
||||
<source media="(prefers-color-scheme: light)" srcset="images/banner.png" width="400">
|
||||
<img src="images/banner.png" width="400">
|
||||
</picture>
|
||||
|
||||
# Harden-Runner
|
||||
[](#)
|
||||
[](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=harden-runner)
|
||||
[](https://raw.githubusercontent.com/step-security/harden-runner/main/LICENSE)
|
||||
|
||||
---
|
||||
|
||||
Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
|
||||
|
||||
1. Detect tampering of source code during build
|
||||
2. Prevent exfiltration of credentials
|
||||
3. Detect compromised dependencies or build tools
|
||||
1. Prevent exfiltration of credentials
|
||||
2. Detect compromised dependencies and build tools
|
||||
3. Detect tampering of source code during build
|
||||
|
||||
<p align="left">
|
||||
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/HardenRunnerGIFV.gif" alt="Demo using GIF" width="1440" >
|
||||
|
|
@ -14,15 +20,21 @@ Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runne
|
|||
|
||||
## Why
|
||||
|
||||
Hijacked dependencies and compromised build tools typically make outbound requests to exfiltrate data or credentials, or may modify source code, dependencies, or artifacts during the build.
|
||||
Compromised dependencies and build tools typically make outbound calls to exfiltrate data or credentials, or may tamper source code, dependencies, or artifacts during the build.
|
||||
|
||||
Harden-Runner helps you answer these two important questions:
|
||||
1. Is source code being overwritten during the build process to inject a backdoor? ([SolarWinds incident scenario](https://github.com/step-security/supply-chain-goat/blob/main/MonitorSourceCode.md))
|
||||
2. Are unexpected outbound network calls being made during the workflow? ([Codecov breach](https://github.com/step-security/supply-chain-goat/blob/main/RestrictOutboundTraffic.md), [Dependency confusion](https://github.com/step-security/supply-chain-goat/blob/main/DNSExfiltration.md), [Malicious dependency](https://github.com/step-security/supply-chain-goat/blob/main/CompromisedDependency.md) scenarios)
|
||||
Harden-Runner GitHub Actions installs a daemon that monitors process, file, and network activity to:
|
||||
|
||||
| |Countermeasure |Threat|
|
||||
|--|----------|----------------|
|
||||
|1.| Block outbound calls that are not in the allowed list to prevent exfiltration of credentials |To prevent [Codecov breach](https://github.com/step-security/supply-chain-goat/blob/main/RestrictOutboundTraffic.md) scenario|
|
||||
|2.| Detect if source code is being overwritten during the build process to inject a backdoor | To detect [SolarWinds incident scenario](https://github.com/step-security/supply-chain-goat/blob/main/MonitorSourceCode.md)|
|
||||
|3.| Detect compromised dependencies that make unexpected outbound network calls | To detect [Dependency confusion](https://github.com/step-security/supply-chain-goat/blob/main/DNSExfiltration.md) and [Malicious dependencies](https://github.com/step-security/supply-chain-goat/blob/main/CompromisedDependency.md)
|
||||
|
||||
Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in-github-actions-7b93a9985635) on how Harden-Runner detected malicious packages in the NPM registry.
|
||||
|
||||
## How
|
||||
|
||||
1. Add `step-security/harden-runner` to your GitHub Actions workflow file as the first step in each job. In the pre step, the GitHub Actions installs a daemon that monitors process, file, and network activity.
|
||||
1. Add `step-security/harden-runner` to your GitHub Actions workflow file as the first step in each job.
|
||||
|
||||
```yaml
|
||||
steps:
|
||||
|
|
@ -37,7 +49,7 @@ Harden-Runner helps you answer these two important questions:
|
|||
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/ActionLog.png" alt="Link in build log" >
|
||||
</p>
|
||||
|
||||
3. Click on the link ([example link](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2265028928)). You will see a process monitor view of what activities happened as part of each step. This currently includes the programs that made outbound calls and did file writes to source code or dependencies.
|
||||
3. Click on the link ([example link](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2265028928)). You will see a process monitor view of what activities happened as part of each step.
|
||||
|
||||
<p align="left">
|
||||
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/OutboundCalls2.png" alt="Insights from harden-runner" >
|
||||
|
|
@ -48,7 +60,6 @@ Harden-Runner helps you answer these two important questions:
|
|||
<p align="left">
|
||||
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/RecomPolicy1.png" alt="Policy recommended by harden-runner" >
|
||||
</p>
|
||||
|
||||
|
||||
5. If outbound network call is made to an endpoint not in the allowed list or if source code is tampered, you will see an annotation in the workflow run.
|
||||
|
||||
|
|
@ -58,13 +69,13 @@ Harden-Runner helps you answer these two important questions:
|
|||
|
||||
## Support for private repositories
|
||||
|
||||
Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) if you want to use Harden-Runner GitHub Action for `Private` repositories.
|
||||
Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to use Harden-Runner GitHub Action for `Private` repositories.
|
||||
|
||||
If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public. You need to authenticate first to access it for private repository. Only those who have access to the repository can view it.
|
||||
- If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
|
||||
- You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.
|
||||
- [Harden Runner App](https://github.com/marketplace/harden-runner-app) only needs `actions: read` permissions on your repositories.
|
||||
|
||||
Read this [case study on how Kapiche uses Harden Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their open source and private repositories.
|
||||
|
||||
[Harden Runner App](https://github.com/marketplace/harden-runner-app) only needs `actions: read` permissions on your repositories. You can install it on selected repositories, or all repositories in your organization.
|
||||
Read this [case study on how Kapiche uses Harden Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their open source and private repositories.
|
||||
|
||||
## Discussions
|
||||
|
||||
|
|
@ -76,7 +87,7 @@ If you have questions or ideas, please use [discussions](https://github.com/step
|
|||
|
||||
## Limitations
|
||||
|
||||
1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported.
|
||||
1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported.
|
||||
2. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
|
||||
3. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`.
|
||||
|
||||
|
|
@ -99,6 +110,14 @@ Some important workflows using harden-runner:
|
|||
|4.|[ossf/scorecard](https://github.com/ossf/scorecard/blob/main/.github/workflows/codeql-analysis.yml)|[Link to insights](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2006162141)
|
||||
|5.|[Automattic/vip-go-mu-plugins](https://github.com/Automattic/vip-go-mu-plugins/blob/master/.github/workflows/e2e.yml)|[Link to insights](https://app.stepsecurity.io/github/Automattic/vip-go-mu-plugins/actions/runs/1758760957)
|
||||
|
||||
## How does it work?
|
||||
|
||||
Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
|
||||
|
||||
- The code to monitor file, process, and network activity is in the Agent.
|
||||
- The agent is written in Go and is open source at https://github.com/step-security/agent
|
||||
- The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest).
|
||||
|
||||
## 1-minute Demo Video
|
||||
|
||||
https://user-images.githubusercontent.com/25015917/156026587-79356450-9b35-4254-9c2e-7f2cc8d81059.mp4
|
||||
|
|
|
|||
4
dist/pre/index.js
vendored
4
dist/pre/index.js
vendored
|
|
@ -6274,7 +6274,7 @@ function verifyChecksum(downloadPath) {
|
|||
const checksum = external_crypto_.createHash("sha256")
|
||||
.update(fileBuffer)
|
||||
.digest("hex"); // checksum of downloaded file
|
||||
const expectedChecksum = "c1286b469a2ad8657d69cf96dfaa5b9166ee6fa46d46fcb9d454d5851aa964bd"; // checksum for v0.9.4
|
||||
const expectedChecksum = "1edce693c412a8a1d6a3d72eec2e7af6de384cfa3320b7c051bb0bd260974725"; // checksum for v0.10.0
|
||||
if (checksum !== expectedChecksum) {
|
||||
core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
|
||||
}
|
||||
|
|
@ -6383,7 +6383,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
|
|||
// Note: to avoid github rate limiting
|
||||
let token = core.getInput("token");
|
||||
let auth = `token ${token}`;
|
||||
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.9.4/agent_0.9.4_linux_amd64.tar.gz", undefined, auth);
|
||||
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.10.0/agent_0.10.0_linux_amd64.tar.gz", undefined, auth);
|
||||
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
|
||||
const extractPath = yield tool_cache.extractTar(downloadPath);
|
||||
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
|
||||
|
|
|
|||
2
dist/pre/index.js.map
vendored
2
dist/pre/index.js.map
vendored
File diff suppressed because one or more lines are too long
|
|
@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
|
|||
.digest("hex"); // checksum of downloaded file
|
||||
|
||||
const expectedChecksum: string =
|
||||
"c1286b469a2ad8657d69cf96dfaa5b9166ee6fa46d46fcb9d454d5851aa964bd"; // checksum for v0.9.4
|
||||
"1edce693c412a8a1d6a3d72eec2e7af6de384cfa3320b7c051bb0bd260974725"; // checksum for v0.10.0
|
||||
|
||||
if (checksum !== expectedChecksum) {
|
||||
core.setFailed(
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ import isDocker from "is-docker";
|
|||
let auth = `token ${token}`;
|
||||
|
||||
const downloadPath: string = await tc.downloadTool(
|
||||
"https://github.com/step-security/agent/releases/download/v0.9.4/agent_0.9.4_linux_amd64.tar.gz",
|
||||
"https://github.com/step-security/agent/releases/download/v0.10.0/agent_0.10.0_linux_amd64.tar.gz",
|
||||
undefined,
|
||||
auth
|
||||
);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue