step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-07 13:47:16 +00:00
Code Issues Projects Releases Packages Wiki Activity
harden-runner/README.md
Varun Sharma 5121d63034
 Update README.md
2021-12-28 16:31:24 -08:00

2 KiB
Raw Blame History

Step Security Logo

Runtime Security for GitHub Actions

Harden the Ubuntu VM on which GitHub Actions runs your workflows.

Prevent DNS exfiltration and exfiltration of credentials

First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.

  1. Add step-security/harden-runner@v1 to your GitHub Actions workflow file as the first step.

    steps:
  - uses: step-security/harden-runner@v1
      with:
        egress-policy: audit
  - uses: actions/checkout@v2

  2. In the workflow logs, you will see a link to security insights and recommendations.

Link in build log

  1. Click on the link (example link). You will see outbound traffic made by each step.

Insights from harden-runner

Policy recommended by harden-runner

  1. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.

     steps:
   - uses: step-security/harden-runner@v1
     with:
       allowed-endpoints:
         github.com:443
         nodejs.org:443
         registry.npmjs.org:443
   - uses: actions/checkout@v2

Workflows using harden-runner

  1. https://github.com/nvm-sh/nvm/tree/master/.github/workflows
  2. https://github.com/shivammathur/setup-php/blob/master/.github/workflows/node-release.yml

Try it out

Hands-on tutorials to learn how harden-runner prevents software supply chain attacks.