step-security/harden-runner
1
0
Fork 0
mirror of synced 2026-06-05 14:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Release v2.5.0 (#325)

Browse source
This commit is contained in:
Varun Sharma 2023-07-24 11:30:49 -07:00 committed by GitHub
commit cba0d00b1f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
24 changed files with 1017 additions and 382 deletions
Download patch file Download diff file Expand all files Collapse all files

33
.eslintrc.js Normal file
View file

@ -0,0 +1,33 @@
module.exports = {
"env": {
"browser": true,
"es2021": true
},
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/recommended"
],
"overrides": [
{
"env": {
"node": true
},
"files": [
".eslintrc.{js,cjs}"
],
"parserOptions": {
"sourceType": "script"
}
}
],
"parser": "@typescript-eslint/parser",
"parserOptions": {
"ecmaVersion": "latest",
"sourceType": "module"
},
"plugins": [
"@typescript-eslint"
],
"rules": {
}
}

1
.pre-commit-config.yaml
View file

@ -1,3 +1,4 @@
exclude: ^dist/
repos: repos:
- repo: https://github.com/gitleaks/gitleaks - repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3 rev: v8.16.3

23
dist/index.js vendored
View file

@ -2894,11 +2894,11 @@ function addSummary() {
if (needsSubscription) { if (needsSubscription) {
yield core.summary yield core.summary
.addSeparator() .addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`); .addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary yield core.summary
.addRaw(` .addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p> <p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p> <p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`) `)
.addSeparator() .addSeparator()
.write(); .write();
@ -2913,11 +2913,8 @@ function addSummary() {
if (tableEntries.length === 0) { if (tableEntries.length === 0) {
return; return;
} }
let insightsRow = `<tr> const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td> yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1; return -1;
@ -2931,12 +2928,13 @@ function addSummary() {
}); });
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3> <h3>🌐 Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
<th>Process</th> <th>Process</th>
<th>Endpoint</th> <th>Destination</th>
<th>Status</th> <th>Status</th>
</tr> </tr>
</thead> </thead>
@ -2953,14 +2951,12 @@ function addSummary() {
<td>...</td> <td>...</td>
<td>...</td> <td>...</td>
</tr> </tr>
${insightsRow}
</tbody> </tbody>
</table> </table>
${insightsRow}
`); `);
yield core.summary yield core.summary
.addSeparator() .addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
.addSeparator() .addSeparator()
.write(); .write();
}); });
@ -2969,6 +2965,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored."; const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored."; const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable."; const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
;// CONCATENATED MODULE: external "node:fs" ;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs"); const external_node_fs_namespaceObject = require("node:fs");

2
dist/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

90
dist/post/index.js vendored
View file

@ -61193,10 +61193,10 @@ function addSummary() {
} }
if (needsSubscription) { if (needsSubscription) {
yield core.summary.addSeparator() yield core.summary.addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`); .addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p> <p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p> <p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`) `)
.addSeparator() .addSeparator()
.write(); .write();
@ -61211,11 +61211,8 @@ function addSummary() {
if (tableEntries.length === 0) { if (tableEntries.length === 0) {
return; return;
} }
let insightsRow = `<tr> const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td> yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1; return -1;
@ -61229,12 +61226,13 @@ function addSummary() {
}); });
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3> <h3>🌐 Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
<th>Process</th> <th>Process</th>
<th>Endpoint</th> <th>Destination</th>
<th>Status</th> <th>Status</th>
</tr> </tr>
</thead> </thead>
@ -61251,13 +61249,11 @@ function addSummary() {
<td>...</td> <td>...</td>
<td>...</td> <td>...</td>
</tr> </tr>
${insightsRow}
</tbody> </tbody>
</table> </table>
${insightsRow}
`); `);
yield core.summary.addSeparator() yield core.summary.addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
.addSeparator() .addSeparator()
.write(); .write();
}); });
@ -61266,6 +61262,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored."; const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored."; const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable."; const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
;// CONCATENATED MODULE: external "node:fs" ;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs"); const external_node_fs_namespaceObject = require("node:fs");
@ -61322,6 +61319,45 @@ function isValidEvent() {
// EXTERNAL MODULE: external "path" // EXTERNAL MODULE: external "path"
var external_path_ = __nccwpck_require__(5622); var external_path_ = __nccwpck_require__(5622);
var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_); var external_path_default = /*#__PURE__*/__nccwpck_require__.n(external_path_);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir() {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
function removeStepPolicyFiles() {
external_child_process_.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
external_child_process_.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}
;// CONCATENATED MODULE: ./src/cleanup.ts ;// CONCATENATED MODULE: ./src/cleanup.ts
var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -61339,6 +61375,7 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
(() => cleanup_awaiter(void 0, void 0, void 0, function* () { (() => cleanup_awaiter(void 0, void 0, void 0, function* () {
if (process.platform !== "linux") { if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE); console.log(UBUNTU_MESSAGE);
@ -61348,6 +61385,21 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(CONTAINER_MESSAGE); console.log(CONTAINER_MESSAGE);
return; return;
} }
if (isValidEvent()) {
try {
const cacheResult = yield cache.saveCache([external_path_default().join(__dirname, "cache.txt")], cacheKey);
console.log(cacheResult);
}
catch (exception) {
console.log(exception);
}
}
if (isArcRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if (String(process.env.STATE_monitorStatusCode) === if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) { STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE); console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
@ -61389,18 +61441,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log("Service log:"); console.log("Service log:");
console.log(journalLog); console.log(journalLog);
} }
if (isValidEvent()) {
try {
const cmd = "cp";
const args = [external_path_default().join(__dirname, "cache.txt"), cacheFile];
external_child_process_.execFileSync(cmd, args);
const cacheResult = yield cache.saveCache([cacheFile], cacheKey);
console.log(cacheResult);
}
catch (exception) {
console.log(exception);
}
}
try { try {
yield addSummary(); yield addSummary();
} }

2
dist/post/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

140
dist/pre/index.js vendored
View file

@ -68939,6 +68939,23 @@ module.exports = require("zlib");
/******/ } /******/ }
/******/ /******/
/************************************************************************/ /************************************************************************/
/******/ /* webpack/runtime/define property getters */
/******/ (() => {
/******/ // define getter functions for harmony exports
/******/ __nccwpck_require__.d = (exports, definition) => {
/******/ for(var key in definition) {
/******/ if(__nccwpck_require__.o(definition, key) && !__nccwpck_require__.o(exports, key)) {
/******/ Object.defineProperty(exports, key, { enumerable: true, get: definition[key] });
/******/ }
/******/ }
/******/ };
/******/ })();
/******/
/******/ /* webpack/runtime/hasOwnProperty shorthand */
/******/ (() => {
/******/ __nccwpck_require__.o = (obj, prop) => (Object.prototype.hasOwnProperty.call(obj, prop))
/******/ })();
/******/
/******/ /* webpack/runtime/make namespace object */ /******/ /* webpack/runtime/make namespace object */
/******/ (() => { /******/ (() => {
/******/ // define __esModule on exports /******/ // define __esModule on exports
@ -68962,6 +68979,11 @@ var __webpack_exports__ = {};
// ESM COMPAT FLAG // ESM COMPAT FLAG
__nccwpck_require__.r(__webpack_exports__); __nccwpck_require__.r(__webpack_exports__);
// EXPORTS
__nccwpck_require__.d(__webpack_exports__, {
"sleep": () => (/* binding */ setup_sleep)
});
// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js // EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
var lib_core = __nccwpck_require__(2186); var lib_core = __nccwpck_require__(2186);
// EXTERNAL MODULE: external "child_process" // EXTERNAL MODULE: external "child_process"
@ -69044,11 +69066,11 @@ function addSummary() {
if (needsSubscription) { if (needsSubscription) {
yield core.summary yield core.summary
.addSeparator() .addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`); .addRaw(`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`);
yield core.summary yield core.summary
.addRaw(` .addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p> <p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p> <p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
`) `)
.addSeparator() .addSeparator()
.write(); .write();
@ -69063,11 +69085,8 @@ function addSummary() {
if (tableEntries.length === 0) { if (tableEntries.length === 0) {
return; return;
} }
let insightsRow = `<tr> const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td> yield core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1; return -1;
@ -69081,12 +69100,13 @@ function addSummary() {
}); });
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(` yield core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3> <h3>🌐 Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
<th>Process</th> <th>Process</th>
<th>Endpoint</th> <th>Destination</th>
<th>Status</th> <th>Status</th>
</tr> </tr>
</thead> </thead>
@ -69103,14 +69123,12 @@ function addSummary() {
<td>...</td> <td>...</td>
<td>...</td> <td>...</td>
</tr> </tr>
${insightsRow}
</tbody> </tbody>
</table> </table>
${insightsRow}
`); `);
yield core.summary yield core.summary
.addSeparator() .addRaw(`<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`)
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
.addSeparator() .addSeparator()
.write(); .write();
}); });
@ -69119,6 +69137,7 @@ const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored."; const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored."; const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable."; const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
const ARC_RUNNER_MESSAGE = "Workflow is currently being executed in ARC based runner";
// EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js // EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
var tool_cache = __nccwpck_require__(7784); var tool_cache = __nccwpck_require__(7784);
@ -69264,6 +69283,45 @@ function sleep(ms) {
var cacheHttpClient = __nccwpck_require__(8245); var cacheHttpClient = __nccwpck_require__(8245);
// EXTERNAL MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js // EXTERNAL MODULE: ./node_modules/@actions/cache/lib/internal/cacheUtils.js
var cacheUtils = __nccwpck_require__(1518); var cacheUtils = __nccwpck_require__(1518);
;// CONCATENATED MODULE: ./src/arc-runner.ts
function isArcRunner() {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir() {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
function sendAllowedEndpoints(endpoints) {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
external_child_process_.execSync(`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count) {
const fileName = `step_policy_apply_${count}`;
external_child_process_.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}
;// CONCATENATED MODULE: ./src/setup.ts ;// CONCATENATED MODULE: ./src/setup.ts
var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) { var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
@ -69290,6 +69348,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
(() => setup_awaiter(void 0, void 0, void 0, function* () { (() => setup_awaiter(void 0, void 0, void 0, function* () {
var _a, _b; var _a, _b;
try { try {
@ -69344,6 +69403,39 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) { if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
lib_core.setFailed("disable-telemetry must be a boolean value"); lib_core.setFailed("disable-telemetry must be a boolean value");
} }
if (isValidEvent()) {
try {
let compressionMethod = yield cacheUtils.getCompressionMethod();
let cacheFilePath = external_path_.join(__dirname, "cache.txt");
cacheFilePath = cacheFilePath.replace("/pre/", "/post/");
lib_core.info(`cacheFilePath ${cacheFilePath}`);
const cacheEntry = yield (0,cacheHttpClient.getCacheEntry)([cacheKey], [cacheFilePath], {
compressionMethod: compressionMethod,
});
const url = new URL(cacheEntry.archiveLocation);
lib_core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
}
catch (exception) {
// some exception has occurred.
lib_core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
lib_core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
if (isArcRunner()) {
console.log(`[!] ${ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
yield setup_sleep(10000);
}
return;
}
let _http = new lib.HttpClient(); let _http = new lib.HttpClient();
let statusCode; let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 }; _http.requestOptions = { socketTimeout: 3 * 1000 };
@ -69362,25 +69454,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE); console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return; return;
} }
if (isValidEvent()) {
try {
let compressionMethod = yield cacheUtils.getCompressionMethod();
const cacheEntry = yield (0,cacheHttpClient.getCacheEntry)([cacheKey], [cacheFile], {
compressionMethod: compressionMethod,
});
const url = new URL(cacheEntry.archiveLocation);
lib_core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
}
catch (exception) {
// some exception has occurred.
lib_core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
lib_core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
const confgStr = JSON.stringify(confg); const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent"); external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent"); external_child_process_.execSync("sudo chown -R $USER /home/agent");
@ -69390,9 +69463,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.4/agent_0.13.4_linux_amd64.tar.gz", undefined, auth); const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.13.4/agent_0.13.4_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = yield tool_cache.extractTar(downloadPath); const extractPath = yield tool_cache.extractTar(downloadPath);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
printInfo(web_url);
}
let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"]; let cmd = "cp", args = [external_path_.join(extractPath, "agent"), "/home/agent/agent"];
external_child_process_.execFileSync(cmd, args); external_child_process_.execFileSync(cmd, args);
external_child_process_.execSync("chmod +x /home/agent/agent"); external_child_process_.execSync("chmod +x /home/agent/agent");

2
dist/pre/index.js.map vendored
View file

File diff suppressed because one or more lines are too long

2
jest.config.js → jest.config.ts
View file

@ -1,5 +1,5 @@
/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */ /** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
module.exports = { export default {
preset: 'ts-jest', preset: 'ts-jest',
testEnvironment: 'node', testEnvironment: 'node',
}; };

878
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

5
package.json
View file

@ -37,8 +37,8 @@
"devDependencies": { "devDependencies": {
"@types/jest": "^27.5.2", "@types/jest": "^27.5.2",
"@types/node": "^16.9.0", "@types/node": "^16.9.0",
"@typescript-eslint/eslint-plugin": "^4.29.2", "@typescript-eslint/eslint-plugin": "^6.1.0",
"@typescript-eslint/parser": "^4.29.2", "@typescript-eslint/parser": "^6.1.0",
"@vercel/ncc": "^0.30.0", "@vercel/ncc": "^0.30.0",
"eslint": "^7.32.0", "eslint": "^7.32.0",
"eslint-config-google": "^0.14.0", "eslint-config-google": "^0.14.0",
@ -46,6 +46,7 @@
"jest-junit": ">=13.0.0", "jest-junit": ">=13.0.0",
"nock": "^13.3.0", "nock": "^13.3.0",
"ts-jest": "^29.0.3", "ts-jest": "^29.0.3",
"ts-node": "^10.9.1",
"typescript": "^4.3.5" "typescript": "^4.3.5"
} }
} }

20
src/arc-runner.test.ts Normal file
View file

@ -0,0 +1,20 @@
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
it("should correctly recognize arc based runner", async () => {
process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"] =
"actions-runner-controller/2.0.1";
let isArc: boolean = await isArcRunner();
expect(isArc).toBe(true);
});
it("should write endpoint files", ()=>{
process.env["isTest"] = "1"
let allowed_endpoints = ["github.com:443", "*.google.com:443", "youtube.com"].join(" ");
sendAllowedEndpoints(allowed_endpoints);
})

52
src/arc-runner.ts Normal file
View file

@ -0,0 +1,52 @@
import * as cp from "child_process";
import { sleep } from "./setup";
export function isArcRunner(): boolean {
const runnerUserAgent = process.env["GITHUB_ACTIONS_RUNNER_EXTRA_USER_AGENT"];
if (!runnerUserAgent) {
return false;
}
return runnerUserAgent.includes("actions-runner-controller/");
}
function getRunnerTempDir(): string {
const isTest = process.env["isTest"];
if (isTest === "1") {
return "/tmp";
}
return process.env["RUNNER_TEMP"] || "/tmp";
}
export function sendAllowedEndpoints(endpoints: string): void {
const allowedEndpoints = endpoints.split(" "); // endpoints are space separated
for (const endpoint of allowedEndpoints) {
if (endpoint) {
const encodedEndpoint = Buffer.from(endpoint).toString("base64");
cp.execSync(
`echo "${endpoint}" > "${getRunnerTempDir()}/step_policy_endpoint_${encodedEndpoint}"`
);
}
}
if (allowedEndpoints.length > 0) {
applyPolicy(allowedEndpoints.length);
}
}
function applyPolicy(count: number): void {
const fileName = `step_policy_apply_${count}`;
cp.execSync(`echo "${fileName}" > "${getRunnerTempDir()}/${fileName}"`);
}
export function removeStepPolicyFiles() {
cp.execSync(`rm ${getRunnerTempDir()}/step_policy_*`);
}
export function arcCleanUp() {
cp.execSync(`echo "cleanup" > "${getRunnerTempDir()}/step_policy_cleanup"`);
}

32
src/cleanup.ts
View file

@ -6,6 +6,7 @@ import isDocker from "is-docker";
import * as cache from "@actions/cache"; import * as cache from "@actions/cache";
import { cacheFile, cacheKey, isValidEvent } from "./cache"; import { cacheFile, cacheKey, isValidEvent } from "./cache";
import path from "path"; import path from "path";
import { arcCleanUp, isArcRunner, removeStepPolicyFiles } from "./arc-runner";
(async () => { (async () => {
if (process.platform !== "linux") { if (process.platform !== "linux") {
@ -17,6 +18,25 @@ import path from "path";
return; return;
} }
if (isValidEvent()) {
try {
const cacheResult = await cache.saveCache(
[path.join(__dirname, "cache.txt")],
cacheKey
);
console.log(cacheResult);
} catch (exception) {
console.log(exception);
}
}
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
arcCleanUp();
removeStepPolicyFiles();
return;
}
if ( if (
String(process.env.STATE_monitorStatusCode) === String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE common.STATUS_HARDEN_RUNNER_UNAVAILABLE
@ -70,18 +90,6 @@ import path from "path";
console.log(journalLog); console.log(journalLog);
} }
if (isValidEvent()) {
try {
const cmd = "cp";
const args = [path.join(__dirname, "cache.txt"), cacheFile];
cp.execFileSync(cmd, args);
const cacheResult = await cache.saveCache([cacheFile], cacheKey);
console.log(cacheResult);
} catch (exception) {
console.log(exception);
}
}
try { try {
await common.addSummary(); await common.addSummary();
} catch (exception) { } catch (exception) {

29
src/common.ts
View file

@ -72,13 +72,15 @@ export async function addSummary() {
if (needsSubscription) { if (needsSubscription) {
await core.summary await core.summary
.addSeparator() .addSeparator()
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`); .addRaw(
`<h2>⚠️ Your GitHub Actions Runtime Security is currently disabled!</h2>`
);
await core.summary await core.summary
.addRaw( .addRaw(
` `
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p> <p>It appears that you're using the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity within a private repository. However, runtime security is not enabled as your organization hasn't signed up for a free trial or a paid subscription yet.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p> <p>To enable runtime security, start a free trial today by installing the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a>. For more information or assistance, feel free to reach out to us through our <a href="https://www.stepsecurity.io/contact">contact form</a>.</p>
` `
) )
.addSeparator() .addSeparator()
@ -99,14 +101,9 @@ export async function addSummary() {
return; return;
} }
let insightsRow = `<tr> const insightsRow = `<h4><a href="${insights_url}">View Full Runtime Security Report & Recommended Policy</a></h4>`;
<td colspan="3" align="center"><a href="${insights_url}">🛡 Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
await core.summary.addSeparator().addRaw( await core.summary.addSeparator().addRaw(`<h2>StepSecurity Report</h2>`);
`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`
);
tableEntries.sort((a, b) => { tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") { if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
@ -121,12 +118,13 @@ export async function addSummary() {
tableEntries = tableEntries.slice(0, 3); tableEntries = tableEntries.slice(0, 3);
await core.summary.addRaw(` await core.summary.addRaw(`
<p>Preview of the network events that occurred on the GitHub-hosted runner during this workflow run.</p>
<h3>🌐 Network Events</h3> <h3>🌐 Network Events</h3>
<table> <table>
<thead> <thead>
<tr> <tr>
<th>Process</th> <th>Process</th>
<th>Endpoint</th> <th>Destination</th>
<th>Status</th> <th>Status</th>
</tr> </tr>
</thead> </thead>
@ -145,16 +143,14 @@ export async function addSummary() {
<td>...</td> <td>...</td>
<td>...</td> <td>...</td>
</tr> </tr>
${insightsRow}
</tbody> </tbody>
</table> </table>
${insightsRow}
`); `);
await core.summary await core.summary
.addSeparator()
.addRaw( .addRaw(
`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>. `<p>Markdown generated by the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a></p>`
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`
) )
.addSeparator() .addSeparator()
.write(); .write();
@ -170,3 +166,6 @@ export const UBUNTU_MESSAGE =
export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable."; "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
export const ARC_RUNNER_MESSAGE =
"Workflow is currently being executed in ARC based runner";

74
src/setup.ts
View file

@ -20,8 +20,9 @@ import {
import { Configuration, PolicyResponse } from "./interfaces"; import { Configuration, PolicyResponse } from "./interfaces";
import { fetchPolicy, mergeConfigs } from "./policy-utils"; import { fetchPolicy, mergeConfigs } from "./policy-utils";
import {getCacheEntry} from "@actions/cache/lib/internal/cacheHttpClient" import { getCacheEntry } from "@actions/cache/lib/internal/cacheHttpClient";
import * as utils from '@actions/cache/lib/internal/cacheUtils' import * as utils from "@actions/cache/lib/internal/cacheUtils";
import { isArcRunner, sendAllowedEndpoints } from "./arc-runner";
(async () => { (async () => {
try { try {
@ -57,7 +58,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
if (policyName !== "") { if (policyName !== "") {
console.log(`Fetching policy from API with name: ${policyName}`); console.log(`Fetching policy from API with name: ${policyName}`);
try { try {
let idToken: string = await core.getIDToken() let idToken: string = await core.getIDToken();
let result: PolicyResponse = await fetchPolicy( let result: PolicyResponse = await fetchPolicy(
context.repo.owner, context.repo.owner,
policyName, policyName,
@ -92,6 +93,47 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
core.setFailed("disable-telemetry must be a boolean value"); core.setFailed("disable-telemetry must be a boolean value");
} }
if (isValidEvent()) {
try {
let compressionMethod: CompressionMethod =
await utils.getCompressionMethod();
let cacheFilePath = path.join(__dirname, "cache.txt");
cacheFilePath = cacheFilePath.replace("/pre/", "/post/");
core.info(`cacheFilePath ${cacheFilePath}`);
const cacheEntry: ArtifactCacheEntry = await getCacheEntry(
[cacheKey],
[cacheFilePath],
{
compressionMethod: compressionMethod,
}
);
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
common.printInfo(web_url);
}
if (isArcRunner()) {
console.log(`[!] ${common.ARC_RUNNER_MESSAGE}`);
if (confg.egress_policy === "block") {
sendAllowedEndpoints(confg.allowed_endpoints);
await sleep(10000);
}
return;
}
let _http = new httpm.HttpClient(); let _http = new httpm.HttpClient();
let statusCode; let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 }; _http.requestOptions = { socketTimeout: 3 * 1000 };
@ -112,31 +154,11 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
} }
console.log(`Step Security Job Correlation ID: ${correlation_id}`); console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) { if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE); console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return; return;
} }
if (isValidEvent()) {
try {
let compressionMethod:CompressionMethod = await utils.getCompressionMethod()
const cacheEntry:ArtifactCacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
compressionMethod: compressionMethod,
});
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info(`Unable to fetch cacheURL`);
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
const confgStr = JSON.stringify(confg); const confgStr = JSON.stringify(confg);
cp.execSync("sudo mkdir -p /home/agent"); cp.execSync("sudo mkdir -p /home/agent");
cp.execSync("sudo chown -R $USER /home/agent"); cp.execSync("sudo chown -R $USER /home/agent");
@ -154,10 +176,6 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
const extractPath = await tc.extractTar(downloadPath); const extractPath = await tc.extractTar(downloadPath);
if (!confg.disable_telemetry || confg.egress_policy === "audit") {
common.printInfo(web_url);
}
let cmd = "cp", let cmd = "cp",
args = [path.join(extractPath, "agent"), "/home/agent/agent"]; args = [path.join(extractPath, "agent"), "/home/agent/agent"];
cp.execFileSync(cmd, args); cp.execFileSync(cmd, args);
@ -204,7 +222,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
} }
})(); })();
function sleep(ms) { export function sleep(ms) {
return new Promise((resolve) => { return new Promise((resolve) => {
setTimeout(resolve, ms); setTimeout(resolve, ms);
}); });