- TypeScript 100%
| .github/workflows | ||
| dist | ||
| src | ||
| .gitignore | ||
| action.yml | ||
| LICENSE | ||
| package-lock.json | ||
| package.json | ||
| README.md | ||
| SECURITY.md | ||
| tsconfig.json | ||
Security monitoring for the GitHub-hosted runner
If you have a self-hosted build server (e.g. Cloud VM), you may have security monitoring implemented on it. When you use GitHub Actions hosted-runner, you can use harden-runner to add security controls and monitoring to the build server (Ubuntu VM) on which GitHub Actions runs your workflows.
Prevent DNS exfiltration and exfiltration of credentials
First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.
-
Add
step-security/harden-runner@v1to your GitHub Actions workflow file as the first step.steps: - uses: step-security/harden-runner@v1 with: egress-policy: audit - uses: actions/checkout@v2 -
In the workflow logs, you will see a link to security insights and recommendations.
- Click on the link (example link). You will see outbound traffic made by each step.
-
Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.
steps: - uses: step-security/harden-runner@v1 with: allowed-endpoints: github.com:443 nodejs.org:443 registry.npmjs.org:443 - uses: actions/checkout@v2
Workflows using harden-runner
- https://github.com/nvm-sh/nvm/tree/master/.github/workflows
- https://github.com/shivammathur/setup-php/blob/master/.github/workflows/node-release.yml
- https://github.com/dassana-io/dassana/blob/main/.github/workflows/publish-ut-coverage.yaml
Try it out
Hands-on tutorials to learn how harden-runner prevents software supply chain attacks.