diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..9e250e6 Binary files /dev/null and b/.DS_Store differ diff --git a/README.md b/README.md index 8ac6bfa..b6676ae 100644 --- a/README.md +++ b/README.md @@ -18,14 +18,13 @@ Harden-Runner secures CI/CD workflows by controlling network access and monitoring activities on GitHub-hosted and self-hosted runners. It blocks unauthorized network traffic and detects unusual activity to protect against potential threats. The name "Harden-Runner" comes from its purpose: strengthening the security of the runners used in GitHub Actions workflows. ## Quick Links - -- [Why Use Harden-Runner](docs/why-use-harden-runner.md) -- [Getting Started Guide](docs/getting-started.md) +- [Getting Started Guide](#getting-started) +- [Why Use Harden-Runner](#why-choose-harden-runner) - [Features and Capabilities](docs/features.md) -- [Case Studies and Trusted Projects](docs/trusted-and-cases.md) +- [Case Studies and Trusted Projects](#trusted-by-and-case-studies) - [How It Works](docs/how-it-works.md) - [Known Limitations](docs/limitations.md) -- [Join the Discussions](docs/discussions.md) +- [Join the Discussions](#discussions) --- @@ -40,27 +39,15 @@ Learn how Harden-Runner works through the video below, which shows how it detect Harden-Runner is trusted by leading projects across industries. For example, it has also been used to secure the **Azure Karpenter Provider**, helping Microsoft improve the security of its open-source ecosystem.[Read the full case study →](https://www.stepsecurity.io/case-studies/azure-karpenter-provider) --- - -## Why Choose Harden-Runner? - -- **Prevent Exfiltration:** Prevent the exfiltration of CI/CD secrets and source code. -- **Detect Tampering:** Identify source code modifications during builds. -- **Anomaly Detection:** Spot unusual dependencies and workflow behaviors. -- **Simplify Permissions:** Determine the minimum required `GITHUB_TOKEN` permissions. - -[Learn More](docs/why-use-harden-runner.md) - ---- - ## Getting Started This guide walks you through the steps to set up and use Harden-Runner in your CI/CD workflows. ### **Prerequisites** Before you begin, ensure you have the following: -- GitHub account. -- GitHub-hosted runner environment. -- StepSecurity account. +- GitHub account +- GitHub-hosted runner environment +- StepSecurity account ### **Step 1: Add Harden-Runner to Your Workflow** @@ -82,10 +69,15 @@ To integrate Harden-Runner, follow these steps: Run your workflow. Once completed: - Review the **workflow logs** and the **job markdown summary**. - Look for a link to **security insights and recommendations**. +

+ Link in workflow log +

- Click on the provided link (e.g., [example link](https://example.com)) to access the **Process Monitor View**, which displays: - **Network events**: Outbound network calls correlated with each step. - **File events**: File writes tracked during the job. - +

+ Link in network events +

### **Step 3: Apply the Recommended Policy** @@ -94,6 +86,9 @@ On the **Recommended Policy** tab in the insights dashboard: - You can: - Add this policy directly to your workflow file, or - Use the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) to apply the policy without modifying your workflow file. +

+ Link in network events +

@@ -104,6 +99,15 @@ Once the policy is applied: - This ensures that only trusted endpoints are accessible, preventing potential security risks. +--- +## Why Choose Harden-Runner? + +- **Prevent Exfiltration:** Prevent the exfiltration of CI/CD secrets and source code. +- **Detect Tampering:** Identify source code modifications during builds. +- **Anomaly Detection:** Spot unusual dependencies and workflow behaviors. +- **Simplify Permissions:** Determine the minimum required `GITHUB_TOKEN` permissions. + + --- ## Features diff --git a/images/.DS_Store b/images/.DS_Store new file mode 100644 index 0000000..8c2fed6 Binary files /dev/null and b/images/.DS_Store differ diff --git a/images/network-events.png b/images/network-events.png new file mode 100644 index 0000000..b7d568e Binary files /dev/null and b/images/network-events.png differ diff --git a/images/network-events1.png b/images/network-events1.png deleted file mode 100644 index 275ec49..0000000 Binary files a/images/network-events1.png and /dev/null differ diff --git a/images/recommendation.png b/images/recommendation.png new file mode 100644 index 0000000..1f96229 Binary files /dev/null and b/images/recommendation.png differ diff --git a/images/workflow-logs.png b/images/workflow-logs.png new file mode 100644 index 0000000..3a363d0 Binary files /dev/null and b/images/workflow-logs.png differ