step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 08:05:14 +00:00
Code Issues Projects Releases Packages Wiki Activity

Release v2.5.0 (#325)

Browse source
This commit is contained in:
Varun Sharma 2023-07-24 11:30:49 -07:00 committed by GitHub
commit cba0d00b1f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 1017 additions and 382 deletions
Download patch file Download diff file Expand all files Collapse all files

33
.eslintrc.js Normal file
View file

@ -0,0 +1,33 @@
module.exports = {
"env": {
"browser": true,
"es2021": true
},
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/recommended"
],
"overrides": [
{
"env": {
"node": true
},
"files": [
".eslintrc.{js,cjs}"
],
"parserOptions": {
"sourceType": "script"
}
}
],
"parser": "@typescript-eslint/parser",
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module"
},
"plugins": [
"@typescript-eslint"
],
"rules": {
}
}

2
.github/workflows/canary.yml vendored
View file

@ -24,7 +24,7 @@ jobs:
steps:
- uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v1
with:
allowed-endpoints:
allowed-endpoints:
api.github.com:443
github.com:443

2
.github/workflows/dependency-review.yml vendored
View file

@ -2,7 +2,7 @@
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action

2
.github/workflows/recurring-int-tests.yml vendored
View file

@ -6,7 +6,7 @@ on:
permissions:
contents: read
jobs:
int-tests:
name: int tests

2
.github/workflows/release.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
steps:
- uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845
with:
allowed-endpoints:
allowed-endpoints:
api.github.com:443
github.com:443

2
.gitignore vendored
View file

@ -104,4 +104,4 @@ typings/
.tern-port
# vscode files
.vscode
.vscode

1
.pre-commit-config.yaml
View file

@ -1,3 +1,4 @@
exclude: ^dist/
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3

23
dist/index.js vendored
View file

@ -2894,11 +2894,11 @@ function addSummary() {
if (needsSubscription) {
yield core.summary
.addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
.addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary
.addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`)
.addSeparator()
.write();
@ -2913,11 +2913,8 @@ function addSummary() {
if (tableEntries.length === 0) {
return;
}
let insightsRow = `<tr>
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
@ -2931,12 +2928,13 @@ function addSummary() {
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Endpoint</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
@ -2953,14 +2951,12 @@ function addSummary() {
<td>...</td>
<td>...</td>
</tr>
${insightsRow}
</tbody>
</table>
${insightsRow}
`);
yield core.summary
.addSeparator()
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addSeparator()
.write();
});
@ -2969,6 +2965,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

90
dist/post/index.js vendored
View file

@ -61193,10 +61193,10 @@ function addSummary() {
}
if (needsSubscription) {
yield core.summary.addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
.addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary.addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`)
.addSeparator()
.write();
@ -61211,11 +61211,8 @@ function addSummary() {
if (tableEntries.length === 0) {
return;
}
let insightsRow = `<tr>
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
@ -61229,12 +61226,13 @@ function addSummary() {
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Endpoint</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
@ -61251,13 +61249,11 @@ function addSummary() {
<td>...</td>
<td>...</td>
</tr>
${insightsRow}
</tbody>
</table>
${insightsRow}
`);
yield core.summary.addSeparator()
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
yield core.summary.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addSeparator()
.write();
});
@ -61266,6 +61262,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
@ -61322,6 +61319,45 @@ function isValidEvent() {
// EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(5622);
var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir() {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
function removeStepPolicyFiles() {
external_child_process_.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
external_child_process_.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}
;// CONCATENATED MODULE: ./src/cleanup.ts
var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -61339,6 +61375,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
(() => cleanup_awaiter(void 0, void 0, void 0, function* () {
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
@ -61348,6 +61385,21 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(CONTAINER_MESSAGE);
return;
}
if (isValidEvent()) {
try {
const cacheResult = yield cache.saveCache([external_path_default().join(__dirname, "cache.txt")], cacheKey);
console.log(cacheResult);
}
catch (exception) {
console.log(exception);
}
}
if (isArcRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
@ -61389,18 +61441,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log("Service log:");
console.log(journalLog);
}
if (isValidEvent()) {
try {
const cmd = "cp";
const args = [external_path_default().join(__dirname, "cache.txt"), cacheFile];
external_child_process_.execFileSync(cmd, args);
const cacheResult = yield cache.saveCache([cacheFile], cacheKey);
console.log(cacheResult);
}
catch (exception) {
console.log(exception);
}
}
try {
yield addSummary();
}

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

140
dist/pre/index.js vendored
View file

@ -68939,6 +68939,23 @@ module.exports = require("zlib");
/******/ }
/******/
/************************************************************************/
/******/ /* webpack/runtime/define property getters */
/******/ (() => {
/******/ // define getter functions for harmony exports
/******/ __nccwpck_require__.d = (exports, definition) => {
/******/ for(var key in definition) {
/******/ if(__nccwpck_require__.o(definition, key) && !__nccwpck_require__.o(exports, key)) {
/******/ Object.defineProperty(exports, key, { enumerable: true, get: definition[key] });
/******/ }
/******/ }
/******/ };
/******/ })();
/******/
/******/ /* webpack/runtime/hasOwnProperty shorthand */
/******/ (() => {
/******/ __nccwpck_require__.o = (obj, prop) => (Object.prototype.hasOwnProperty.call(obj, prop))
/******/ })();
/******/
/******/ /* webpack/runtime/make namespace object */
/******/ (() => {
/******/ // define __esModule on exports
@ -68962,6 +68979,11 @@ var __webpack_exports__ = {};
// ESM COMPAT FLAG
__nccwpck_require__.r(__webpack_exports__);
// EXPORTS
__nccwpck_require__.d(__webpack_exports__, {
"sleep": () => (/* binding */ setup_sleep)
});
// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
var lib_core = __nccwpck_require__(2186);
// EXTERNAL MODULE: external "child_process"
@ -69044,11 +69066,11 @@ function addSummary() {
if (needsSubscription) {
yield core.summary
.addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
.addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary
.addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`)
.addSeparator()
.write();
@ -69063,11 +69085,8 @@ function addSummary() {
if (tableEntries.length === 0) {
return;
}
let insightsRow = `<tr>
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
@ -69081,12 +69100,13 @@ function addSummary() {
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Endpoint</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
@ -69103,14 +69123,12 @@ function addSummary() {
<td>...</td>
<td>...</td>
</tr>
${insightsRow}
</tbody>
</table>
${insightsRow}
`);
yield core.summary
.addSeparator()
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addSeparator()
.write();
});
@ -69119,6 +69137,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
// EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
var tool_cache = __nccwpck_require__(7784);
@ -69264,6 +69283,45 @@ function sleep(ms) {
var cacheHttpClient = __nccwpck_require__(8245);
// EXTERNAL MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js
var cacheUtils = __nccwpck_require__(1518);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir() {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
external_child_process_.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
external_child_process_.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}
;// CONCATENATED MODULE: ./src/setup.ts
var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -69290,6 +69348,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
(() => setup_awaiter(void 0, void 0, void 0, function* () {
var _a, _b;
try {
@ -69344,6 +69403,39 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
lib_core.setFailed("disable-telemetry must be a boolean value");
}
if (isValidEvent()) {
try {
let compressionMethod = yield cacheUtils.getCompressionMethod();
let cacheFilePath = external_path_.join(__dirname, "cache.txt");
cacheFilePath = cacheFilePath.replace("/pre/", "/post/");
lib_core.info(`cacheFilePath ${cacheFilePath}`);
const cacheEntry = yield (0,cacheHttpClient.getCacheEntry)([cacheKey], [cacheFilePath], {
compressionMethod: compressionMethod,
});
const url = new URL(cacheEntry.archiveLocation);
lib_core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
}
catch (exception) {
// some exception has occurred.
lib_core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
lib_core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
if (isArcRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
yield setup_sleep(10000);
}
return;
}
let _http = new lib.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
@ -69362,25 +69454,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isValidEvent()) {
try {
let compressionMethod = yield cacheUtils.getCompressionMethod();
const cacheEntry = yield (0,cacheHttpClient.getCacheEntry)([cacheKey], [cacheFile], {
compressionMethod: compressionMethod,
});
const url = new URL(cacheEntry.archiveLocation);
lib_core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
}
catch (exception) {
// some exception has occurred.
lib_core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
lib_core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent");
@ -69390,9 +69463,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.4/agent_0.13.4_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = yield tool_cache.extractTar(downloadPath);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("chmod +x /home/agent/agent");

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

4
jest.config.js → jest.config.ts
View file

@ -1,5 +1,5 @@
/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
module.exports = {
export default {
preset: 'ts-jest',
testEnvironment: 'node',
};
};

878
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

5
package.json
View file

@ -37,8 +37,8 @@
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^4.29.2",
"@typescript-eslint/parser": "^4.29.2",
"@typescript-eslint/eslint-plugin": "^6.1.0",
"@typescript-eslint/parser": "^6.1.0",
"@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0",
"eslint-config-google": "^0.14.0",
@ -46,6 +46,7 @@
"jest-junit": ">=13.0.0",
"nock": "^13.3.0",
"ts-jest": "^29.0.3",
"ts-node": "^10.9.1",
"typescript": "^4.3.5"
}
}

20
src/arc-runner.test.ts Normal file
View file

@ -0,0 +1,20 @@
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
it("should correctly recognize arc based runner", async () => {
process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"] =
"actions-runner-controller/2.0.1";
let isArc: boolean = await isArcRunner();
expect(isArc).toBe(true);
});
it("should write endpoint files", ()=>{
process.env["isTest"] = "1"
let allowed_endpoints = ["github.com:443", "*.google.com:443", "youtube.com"].join(" ");
sendAllowedEndpoints(allowed_endpoints);
})

52
src/arc-runner.ts Normal file
View file

@ -0,0 +1,52 @@
import * as cp from "child_process";
import { sleep } from "./setup";
export function isArcRunner(): boolean {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir(): string {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
export function sendAllowedEndpoints(endpoints: string): void {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(
`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`
);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count: number): void {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
export function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
export function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}

2
src/cache.ts
View file

@ -19,4 +19,4 @@ export enum CompressionMethod {
const RefKey = "GITHUB_REF";
export function isValidEvent(): boolean {
return RefKey in process.env && Boolean(process.env[RefKey]);
}
}

32
src/cleanup.ts
View file

@ -6,6 +6,7 @@ import isDocker from "is-docker";
import * as cache from "@actions/cache";
import { cacheFile, cacheKey, isValidEvent } from "./cache";
import path from "path";
import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
(async () => {
if (process.platform !== "linux") {
@ -17,6 +18,25 @@ import path from "path";
return;
}
if (isValidEvent()) {
try {
const cacheResult = await cache.saveCache(
[path.join(__dirname, "cache.txt")],
cacheKey
);
console.log(cacheResult);
} catch (exception) {
console.log(exception);
}
}
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
@ -70,18 +90,6 @@ import path from "path";
console.log(journalLog);
}
if (isValidEvent()) {
try {
const cmd = "cp";
const args = [path.join(__dirname, "cache.txt"), cacheFile];
cp.execFileSync(cmd, args);
const cacheResult = await cache.saveCache([cacheFile], cacheKey);
console.log(cacheResult);
} catch (exception) {
console.log(exception);
}
}
try {
await common.addSummary();
} catch (exception) {

29
src/common.ts
View file

@ -72,13 +72,15 @@ export async function addSummary() {
if (needsSubscription) {
await core.summary
.addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
.addRaw(
`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`
);
await core.summary
.addRaw(
`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
<p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`
)
.addSeparator()
@ -99,14 +101,9 @@ export async function addSummary() {
return;
}
let insightsRow = `<tr>
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
await core.summary.addSeparator().addRaw(
`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`
);
await core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
@ -121,12 +118,13 @@ export async function addSummary() {
tableEntries = tableEntries.slice(0, 3);
await core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Endpoint</th>
<th>Destination</th>
<th>Status</th>
</tr>
</thead>
@ -145,16 +143,14 @@ export async function addSummary() {
<td>...</td>
<td>...</td>
</tr>
${insightsRow}
</tbody>
</table>
${insightsRow}
`);
await core.summary
.addSeparator()
.addRaw(
`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`
`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`
)
.addSeparator()
.write();
@ -170,3 +166,6 @@ export const UBUNTU_MESSAGE =
export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
export const ARC_RUNNER_MESSAGE =
"Workflow is currently being executed in ARC based runner";

4
src/policy-utils.ts
View file

@ -23,7 +23,7 @@ export async function fetchPolicy(
let response = undefined;
let err = undefined;
let retry = 0;
while(retry < 3){
try{
@ -72,4 +72,4 @@ function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
}

74
src/setup.ts
View file

@ -20,8 +20,9 @@ import {
import { Configuration, PolicyResponse } from "./interfaces";
import { fetchPolicy, mergeConfigs } from "./policy-utils";
import {getCacheEntry} from "@actions/cache/lib/internal/cacheHttpClient"
import * as utils from '@actions/cache/lib/internal/cacheUtils'
import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
import * as utils from "@actions/cache/lib/internal/cacheUtils";
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
(async () => {
try {
@ -57,7 +58,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
if (policyName !== "") {
console.log(`Fetching policy from API with name: ${policyName}`);
try {
let idToken: string = await core.getIDToken()
let idToken: string = await core.getIDToken();
let result: PolicyResponse = await fetchPolicy(
context.repo.owner,
policyName,
@ -92,6 +93,47 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
core.setFailed("disable-telemetry must be a boolean value");
}
if (isValidEvent()) {
try {
let compressionMethod: CompressionMethod =
await utils.getCompressionMethod();
let cacheFilePath = path.join(__dirname, "cache.txt");
cacheFilePath = cacheFilePath.replace("/pre/", "/post/");
core.info(`cacheFilePath ${cacheFilePath}`);
const cacheEntry: ArtifactCacheEntry = await getCacheEntry(
[cacheKey],
[cacheFilePath],
{
compressionMethod: compressionMethod,
}
);
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
common.printInfo(web_url);
}
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
await sleep(10000);
}
return;
}
let _http = new httpm.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
@ -112,31 +154,11 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
}
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isValidEvent()) {
try {
let compressionMethod:CompressionMethod = await utils.getCompressionMethod()
const cacheEntry:ArtifactCacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
compressionMethod: compressionMethod,
});
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent");
@ -154,10 +176,6 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = await tc.extractTar(downloadPath);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
common.printInfo(web_url);
}
let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args);
@ -204,7 +222,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
}
})();
function sleep(ms) {
export function sleep(ms) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});

2
tsconfig.json
View file

@ -14,4 +14,4 @@
"exclude": [
"src/**/*.test.ts"
]
}
}