step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-05 19:53:33 +00:00
Code Issues Projects Releases Packages Wiki Activity
Pull-mirror of github.com/step-security/harden-runner
120 commits 87 branches 69 tags 56 MiB
  • TypeScript 100%
Find a file
h0x0er aaee24b534 updated some dependencies
2022-01-31 13:25:16 +05:30
.github Merge pull request #81 from jauderho/patch-2 2022-01-30 09:29:38 -08:00
dist Update agent version 2022-01-11 17:01:36 -08:00
src Update agent version 2022-01-11 17:01:36 -08:00
.gitignore updated some dependencies 2022-01-31 13:25:16 +05:30
action.yml Add egress policy input 2021-12-06 12:17:08 -08:00
LICENSE Initial commit 2021-10-28 09:58:47 -07:00
package-lock.json updated some dependencies 2022-01-31 13:25:16 +05:30
package.json updated some dependencies 2022-01-31 13:25:16 +05:30
README.md Update README.md 2022-01-27 18:19:09 -08:00
SECURITY.md Create SECURITY.md 2021-11-19 13:19:40 -08:00
tsconfig.json Add code for GH action 2021-10-28 10:16:48 -07:00

README.md

Step Security Logo

Security monitoring for the GitHub-hosted runner

Slack

If you have a self-hosted build server (e.g. Cloud VM), you may have security monitoring implemented on it. When you use GitHub Actions hosted-runner, you can use harden-runner to add security controls and monitoring to the build server (Ubuntu VM) on which GitHub Actions runs your workflows. Unlike traditional monitoring for Cloud VMs, harden-runner insights and policy are granular per job of a workflow.

Prevent DNS exfiltration and exfiltration of credentials

First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.

  1. Add step-security/harden-runner to your GitHub Actions workflow file as the first step.

    steps:
  - uses: step-security/harden-runner@14dc64f30986eaa2ad2dddcec073f5aab18e5a24 # v1
    with:
      egress-policy: audit

  2. In the workflow logs, you will see a link to security insights and recommendations.

    Link in build log

  3. Click on the link (example link). You will see outbound traffic made by each step.

    Insights from harden-runner

    Policy recommended by harden-runner

  4. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.

     steps:
   - uses: step-security/harden-runner@14dc64f30986eaa2ad2dddcec073f5aab18e5a24 # v1
     with:
       egress-policy: block
       allowed-endpoints: 
         api.github.com:443
         github.com:443
         pypi.org:443

Try it out

Hands-on tutorials to learn how harden-runner would have prevented past software supply chain attacks, such as the Codecov breach.

Workflows using harden-runner

Workflows using harden-runner:

  1. https://github.com/nvm-sh/nvm/tree/master/.github/workflows (link to insights)
  2. https://github.com/microsoft/msquic/tree/main/.github/workflows (link to insights)
  3. https://github.com/Automattic/vip-go-mu-plugins/blob/master/.github/workflows/e2e.yml (link to insights)
  4. https://github.com/MTRNord/matrix-art/tree/main/.github/workflows (link to insights)
  5. https://github.com/jauderho/dockerfiles/blob/main/.github/workflows/age.yml (link to insights)

Discussions

If you have questions, please use discussions.

  1. Support for private repositories
  2. Generation of accurate SBOM (software bill of materials)