From b48b642e4170aae94cd07cb4e165cef1df1fba9a Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 28 Feb 2022 09:07:58 -0800 Subject: [PATCH] Update README.md --- README.md | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 59cb5d9..3ea7a25 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,9 @@ Step Security Logo

-# Prevent Software Supply Chain Attacks +# Software Supply Chain Security -This GitHub Action can be used to prevent software supply chain attacks. +This GitHub Action can be used to prevent certain types of software supply chain attacks. ## Problem Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. This was the case in the [Codecov breach](https://www.bleepingcomputer.com/news/security/popular-codecov-code-coverage-tool-hacked-to-steal-dev-credentials/), in the [dependency confusion attacks](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610), and the recent [npm package hijacks](https://github.com/faisalman/ua-parser-js/issues/536). @@ -41,7 +41,7 @@ First-of-its-kind patent-pending technology that automatically correlates outbou When you use `egress-policy: block` mode, you can also set `disable-telemetry: true` to not send telemetry to the StepSecurity API. -## How past supply chain attacks would have been prevented +## How past attacks would have been prevented [Hands-on tutorials](https://github.com/step-security/supply-chain-goat) to learn how `harden-runner` would have prevented past software supply chain attacks, such as the Codecov breach. @@ -56,12 +56,6 @@ If you have questions or ideas, please use [discussions](https://github.com/step 3. [SLSA Level 1](https://github.com/step-security/harden-runner/discussions/93) 4. [Cryptographically verify tools run as part of the CI/ CD pipeline](https://github.com/step-security/harden-runner/discussions/94) -## FAQ - -### Why do I see calls to `api.snapcraft.io`? - -During workflow runs, it was observed that unnecessary outbound calls were being made to some domains. All of the outbound calls were due to unnecessary services running on the GitHub Actions hosted-runner VM. These services have been stopped, except for `snapd`, which makes calls to `api.snapcraft.io`. You can read more about this issue [here](https://github.com/actions/virtual-environments/issues/4867). `api.snapcraft.io` is not needed for your workflow, and does not need to be added to the `allowed-endpoints` list. - ## Workflows using harden-runner Workflows using harden-runner: @@ -70,3 +64,14 @@ Workflows using harden-runner: 3. https://github.com/Automattic/vip-go-mu-plugins/blob/master/.github/workflows/e2e.yml ([link to insights](https://app.stepsecurity.io/github/Automattic/vip-go-mu-plugins/actions/runs/1758760957)) 4. https://github.com/MTRNord/matrix-art/tree/main/.github/workflows ([link to insights](https://app.stepsecurity.io/github/MTRNord/matrix-art/actions/runs/1758933417)) 5. https://github.com/jauderho/dockerfiles/blob/main/.github/workflows/age.yml ([link to insights](https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/1758047950)) + +## Demo Video + +https://user-images.githubusercontent.com/25015917/156026587-79356450-9b35-4254-9c2e-7f2cc8d81059.mp4 + +## FAQ + +### Why do I see calls to `api.snapcraft.io`? + +During workflow runs, it was observed that unnecessary outbound calls were being made to some domains. All of the outbound calls were due to unnecessary services running on the GitHub Actions hosted-runner VM. These services have been stopped, except for `snapd`, which makes calls to `api.snapcraft.io`. You can read more about this issue [here](https://github.com/actions/virtual-environments/issues/4867). `api.snapcraft.io` is not needed for your workflow, and does not need to be added to the `allowed-endpoints` list. +