From bdd4bdd2832c110953f4d0018f1e848a8d3d7948 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 10 Mar 2022 09:36:49 -0800 Subject: [PATCH 1/2] Update README.md --- README.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b45c56e..df44c42 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,6 @@ -

- Step Security Logo -

+# Security agent for Github-hosted runner -# Software Supply Chain Security - -This GitHub Action can be used to visualize process, file, and network activity from your GitHub Actions workflows in a web UI. It can also be used to restrict outbound traffic to allowed endpoints. +Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies. ## Problem Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. This was the case in the [Codecov breach](https://www.bleepingcomputer.com/news/security/popular-codecov-code-coverage-tool-hacked-to-steal-dev-credentials/), in the [dependency confusion attacks](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), and the recent [npm package hijacks](https://github.com/faisalman/ua-parser-js/issues/536). From 6091ab5c1321b87ac194a9c1e5fe8477a9ff554f Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Thu, 10 Mar 2022 09:48:13 -0800 Subject: [PATCH 2/2] Update README.md --- README.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index df44c42..0b2df66 100644 --- a/README.md +++ b/README.md @@ -3,12 +3,10 @@ Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies. ## Problem -Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. This was the case in the [Codecov breach](https://www.bleepingcomputer.com/news/security/popular-codecov-code-coverage-tool-hacked-to-steal-dev-credentials/), in the [dependency confusion attacks](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), and the recent [npm package hijacks](https://github.com/faisalman/ua-parser-js/issues/536). +Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. There is also a risk that a compromised dependency or build tool may modify source code, dependencies, or artifacts during the build process. ## Solution -First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow. - -1. Add `step-security/harden-runner` to your GitHub Actions workflow file as the first step. +1. Add `step-security/harden-runner` to your GitHub Actions workflow file as the first step in each job. In the pre step, the GitHub Actions installs a daemon that monitors process, file, and network activity. ```yaml steps: @@ -23,7 +21,7 @@ First-of-its-kind patent-pending technology that automatically correlates outbou Link in build log

-3. Click on the link ([example link](https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/1736506434)). You will see outbound traffic made by each step. +3. Click on the link ([example link](https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/1736506434)). You will see a process monitor view of what activities happened as part of each step. This currently includes the programs that made outbound calls and did file writes to source code or dependencies.

Insights from harden-runner