3 KiB
Security monitoring for the GitHub-hosted runner
If you have a self-hosted build server (e.g. Cloud VM), you may have security monitoring implemented on it. When you use GitHub Actions hosted-runner, you can use harden-runner to add security controls and monitoring to the build server (Ubuntu VM) on which GitHub Actions runs your workflows.
Prevent DNS exfiltration and exfiltration of credentials
First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.
-
Add
step-security/harden-runnerto your GitHub Actions workflow file as the first step.steps: - uses: step-security/harden-runner@14dc64f30986eaa2ad2dddcec073f5aab18e5a24 # v1 with: egress-policy: audit -
In the workflow logs, you will see a link to security insights and recommendations.
-
Click on the link (example link). You will see outbound traffic made by each step.
-
Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.
steps: - uses: step-security/harden-runner@14dc64f30986eaa2ad2dddcec073f5aab18e5a24 # v1 with: egress-policy: block allowed-endpoints: api.github.com:443 github.com:443 pypi.org:443
Try it out
Hands-on tutorials to learn how harden-runner prevents software supply chain attacks.
Workflows using harden-runner
Workflows using harden-runner:
- https://github.com/nvm-sh/nvm/tree/master/.github/workflows
- https://github.com/microsoft/msquic/tree/main/.github/workflows
- https://github.com/dassana-io/dassana/blob/main/.github/workflows/publish-ut-coverage.yaml
- https://github.com/MTRNord/matrix-art/tree/main/.github/workflows
- https://github.com/jauderho/dockerfiles/blob/main/.github/workflows/linter.yml
- https://github.com/myrotvorets/opentelemetry-plugin-knex/blob/master/.github/workflows/package-audit.yml
Support for private repositories
harden-runner does not work for and show insights for private repositories as of now. Support will be added in the future.