step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-07 06:17:07 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #48 from step-security/varunsh-coder-patch-1

Browse source 
Update README.md
This commit is contained in:
Varun Sharma 2021-12-28 16:31:38 -08:00 committed by GitHub
commit a03771364b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

42
README.md
View file

@ -2,19 +2,22 @@
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/Final-Logo-06.png" alt="Step Security Logo" width="340">
</p>
# Policy-based Runtime Security for GitHub Actions
# Runtime Security for GitHub Actions
Harden the Ubuntu VM on which GitHub Actions runs your workflows.
## Prevent DNS exfiltration and exfiltration of credentials
First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.
1. Add this code to your GitHub Actions workflow file as the first step.
1. Add `step-security/harden-runner@v1` to your GitHub Actions workflow file as the first step.
```
steps:
- uses: step-security/harden-runner@v1
with:
egress-policy: audit
- uses: actions/checkout@v2
```
```
steps:
- uses: step-security/harden-runner@v1
with:
egress-policy: audit
- uses: actions/checkout@v2
```
2. In the workflow logs, you will see a link to security insights and recommendations.
@ -22,19 +25,19 @@ steps:
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/build_log_link.png" alt="Link in build log" >
</p>
3. Click on the link ([example link](https://app.stepsecurity.io/github/nvm-sh/nvm/actions/runs/1547131792)).
3. Click on the link ([example link](https://app.stepsecurity.io/github/nvm-sh/nvm/actions/runs/1547131792)). You will see outbound traffic made by each step.
<p align="left">
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/insights.png" alt="Step Security Logo" >
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/insights1.png" alt="Insights from harden-runner" >
</p>
<p align="left">
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/policy.png" alt="Step Security Logo" >
<img src="https://step-security-images.s3.us-west-2.amazonaws.com/policy.png" alt="Policy recommended by harden-runner" >
</p>
4. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.
```
steps:
```
steps:
- uses: step-security/harden-runner@v1
with:
allowed-endpoints:
@ -42,4 +45,13 @@ steps:
nodejs.org:443
registry.npmjs.org:443
- uses: actions/checkout@v2
```
```
## Workflows using harden-runner
1. https://github.com/nvm-sh/nvm/tree/master/.github/workflows
2. https://github.com/shivammathur/setup-php/blob/master/.github/workflows/node-release.yml
## Try it out
[Hands-on tutorials](https://github.com/step-security/supply-chain-goat) to learn how `harden-runner` prevents software supply chain attacks.