Merge pull request #14 from step-security/codeql

Address Codeql issues
2026-06-05 19:53:33 +00:00 · 2021-11-20 06:40:06 -08:00 · 2021-11-20 06:40:06 -08:00 · 7bc4150d01
commit 7bc4150d01
parent c08918ce0d 3864e5a109
11 changed files with 129 additions and 18 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '17 0 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
--- a/README.md
+++ b/README.md
@ -1,3 +1,20 @@
-# Harden-Runner
+<p align="left">
+  <img src="https://step-security-images.s3.us-west-2.amazonaws.com/Final-Logo-06.png" alt="Step Security Logo" width="340">
+</p>
+
+# Harden Runner
+
+This GitHub Action deploys the [Step Security Agent](https://github.com/step-security/agent), which is a purpose-built security agent for hosted runners.
+
+To pilot this GitHub Action, add the following code to your GitHub Actions workflow file as the first step. This is the only step needed.
+
+```
+steps:
+    - uses: step-security/harden-runner@main
+```
+
+In the workflow logs, you should see a link to security insights and recommendations.
+
+It is being piloted on [this](https://github.com/shivammathur/setup-php) repository. Check out the [workflow files](https://github.com/shivammathur/setup-php/blob/2f5c2edb229fb5b3dcaeb535cb83899b41854672/.github/workflows/node-workflow.yml#L30) and [workflow runs](https://github.com/shivammathur/setup-php/runs/4252355681?check_suite_focus=true#step:3:4).
+

-Work in progress...
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities to info@stepsecurity.io
--- a/action.yml
+++ b/action.yml
@ -1,10 +1,13 @@
-name: 'Step Security Audit Workflow'
+name: 'Harden Runner'
 description: 'GitHub Actions Runtime Security'
 inputs:
  allowed-endpoints:
    description: 'Allowed endpoints'
    required: false
    default: ''
+branding:
+  icon: 'check-square'  
+  color: 'green'
 runs:
  using: 'node12'
  pre: 'dist/pre/index.js'
--- a/dist/index.js
+++ b/dist/index.js
@ -18,8 +18,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
        console.log("Only runs on linux");
        return;
    }
-    var env = "int";
-    console.log(`View security insights and recommended policy at https://${env}.stepsecurity.io/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`);
+
+    var web_url = "https://int1.stepsecurity.io";
+    console.log(`View security insights and recommended policy at ${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`);
 }))();


--- a/dist/index.js.map
+++ b/dist/index.js.map
@ -1 +1 @@
-{"version":3,"file":"index.js","sources":["../webpack://step-security-harden-runner/./src/index.ts","../webpack://step-security-harden-runner/webpack/runtime/compat","../webpack://step-security-harden-runner/webpack/startup"],"sourcesContent":["(async () => {\n  if (process.platform !== \"linux\") {\n    console.log(\"Only runs on linux\");\n    return;\n  }\n\n  var env = \"int\";\n\n  console.log(\n    `View security insights and recommended policy at https://${env}.stepsecurity.io/github/${process.env[\"GITHUB_REPOSITORY\"]}/actions/runs/${process.env[\"GITHUB_RUN_ID\"]} after the run has finished`\n  );\n})();\n","\nif (typeof __webpack_require__ !== 'undefined') __webpack_require__.ab = __dirname + \"/\";","// startup\n// Load entry module and return exports\n// This entry module is referenced by other modules so it can't be inlined\nvar __webpack_exports__ = {};\n__webpack_modules__[144]();\n"],"mappings":";;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AAEA;AAEA;AAGA;;;A;;;;;ACXA;AACA;;;;ACDA;AACA;AACA;AACA;AACA;;;;A","sourceRoot":""}
+{"version":3,"file":"index.js","sources":["../webpack://step-security-harden-runner/./src/index.ts","../webpack://step-security-harden-runner/webpack/runtime/compat","../webpack://step-security-harden-runner/webpack/startup"],"sourcesContent":["(async () => {\n  if (process.platform !== \"linux\") {\n    console.log(\"Only runs on linux\");\n    return;\n  }\n\n  var web_url = \"https://app.stepsecurity.io\";\n\n  console.log(\n    `View security insights and recommended policy at ${web_url}/github/${process.env[\"GITHUB_REPOSITORY\"]}/actions/runs/${process.env[\"GITHUB_RUN_ID\"]} after the run has finished`\n  );\n})();\n","\nif (typeof __webpack_require__ !== 'undefined') __webpack_require__.ab = __dirname + \"/\";","// startup\n// Load entry module and return exports\n// This entry module is referenced by other modules so it can't be inlined\nvar __webpack_exports__ = {};\n__webpack_modules__[144]();\n"],"mappings":";;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AAEA;AAEA;AAGA;;;A;;;;;ACXA;AACA;;;;ACDA;AACA;AACA;AACA;AACA;;;;A","sourceRoot":""}
--- a/dist/pre/index.js
+++ b/dist/pre/index.js
@ -2395,6 +2395,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
        var correlation_id = v4();
        var env = "int";
        var api_url = `https://${env}.api.stepsecurity.io/v1`;
+        var web_url = "https://int1.stepsecurity.io";
        const confg = {
            repo: process.env["GITHUB_REPOSITORY"],
            run_id: process.env["GITHUB_RUN_ID"],
@ -2415,11 +2416,18 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
                .on("finish", () => __awaiter(void 0, void 0, void 0, function* () {
                filePath.close();
                console.log(`Step Security Job Correlation ID: ${correlation_id}`);
-                console.log(`View security insights and recommended policy at https://${env}.stepsecurity.io/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`);
-                external_child_process_namespaceObject.execSync(`cp ${__dirname}/agent /home/agent/agent`);
+                console.log(`View security insights and recommended policy at ${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`);
+                let cmd = "cp", args = [external_path_.join(__dirname, "agent"), "/home/agent/agent"];
+                external_child_process_namespaceObject.execFileSync(cmd, args);
                external_child_process_namespaceObject.execSync("chmod +x /home/agent/agent");
                external_fs_.writeFileSync("/home/agent/agent.json", confgStr);
-                external_child_process_namespaceObject.execSync(`sudo cp ${__dirname}/agent.service /etc/systemd/system/agent.service`);
+                cmd = "sudo";
+                args = [
+                    "cp",
+                    external_path_.join(__dirname, "agent.service"),
+                    "/etc/systemd/system/agent.service",
+                ];
+                external_child_process_namespaceObject.execFileSync(cmd, args);
                external_child_process_namespaceObject.execSync("sudo systemctl daemon-reload");
                external_child_process_namespaceObject.execSync("sudo service agent start", { timeout: 15000 });
                // Check that the file exists locally
--- a/dist/pre/index.js.map
+++ b/dist/pre/index.js.map
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "step-security-harden-runner",
-    "version": "0.0.1",
+    "version": "0.1.0",
    "description": "GitHub Actions Runtime Security",
    "main": "index.js",
    "scripts": {
--- a/src/index.ts
+++ b/src/index.ts
@ -4,9 +4,9 @@
    return;
  }

-  var env = "int";
+  var web_url = "https://int1.stepsecurity.io";

  console.log(
-    `View security insights and recommended policy at https://${env}.stepsecurity.io/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`
+    `View security insights and recommended policy at ${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`
  );
 })();
--- a/src/setup.ts
+++ b/src/setup.ts
@ -16,6 +16,7 @@ import { v4 as uuidv4 } from "uuid";
    var correlation_id = uuidv4();
    var env = "int";
    var api_url = `https://${env}.api.stepsecurity.io/v1`;
+    var web_url = "https://int1.stepsecurity.io";

    const confg = {
      repo: process.env["GITHUB_REPOSITORY"],
@ -43,16 +44,22 @@ import { v4 as uuidv4 } from "uuid";

            console.log(`Step Security Job Correlation ID: ${correlation_id}`);
            console.log(
-              `View security insights and recommended policy at https://${env}.stepsecurity.io/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`
+              `View security insights and recommended policy at ${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]} after the run has finished`
            );
-            cp.execSync(`cp ${__dirname}/agent /home/agent/agent`);
+            let cmd = "cp",
+              args = [path.join(__dirname, "agent"), "/home/agent/agent"];
+            cp.execFileSync(cmd, args);
            cp.execSync("chmod +x /home/agent/agent");

            fs.writeFileSync("/home/agent/agent.json", confgStr);

-            cp.execSync(
-              `sudo cp ${__dirname}/agent.service /etc/systemd/system/agent.service`
-            );
+            cmd = "sudo";
+            args = [
+              "cp",
+              path.join(__dirname, "agent.service"),
+              "/etc/systemd/system/agent.service",
+            ];
+            cp.execFileSync(cmd, args);
            cp.execSync("sudo systemctl daemon-reload");
            cp.execSync("sudo service agent start", { timeout: 15000 });