step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-07 00:17:05 +00:00
Code Issues Projects Releases Packages Wiki Activity
harden-runner/README.md
Varun Sharma a71e2d1dd2
 Update README.md
2022-01-18 18:33:38 -08:00

2.3 KiB
Raw Blame History

Step Security Logo

Security monitoring for the GitHub-hosted runner

If you have a self-hosted build server (e.g. Cloud VM), you may have security monitoring implemented on it. When you use GitHub Actions hosted-runner, you can use harden-runner to add security controls and monitoring to the build server (Ubuntu VM) on which GitHub Actions runs your workflows.

Prevent DNS exfiltration and exfiltration of credentials

First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.

  1. Add step-security/harden-runner@v1 to your GitHub Actions workflow file as the first step.

    steps:
  - uses: step-security/harden-runner@v1
      with:
        egress-policy: audit
  - uses: actions/checkout@v2

  2. In the workflow logs, you will see a link to security insights and recommendations.

Link in build log

  1. Click on the link (example link). You will see outbound traffic made by each step.

Insights from harden-runner

Policy recommended by harden-runner

  1. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.

     steps:
   - uses: step-security/harden-runner@v1
     with:
       allowed-endpoints:
         github.com:443
         nodejs.org:443
         registry.npmjs.org:443
   - uses: actions/checkout@v2

Workflows using harden-runner

  1. https://github.com/nvm-sh/nvm/tree/master/.github/workflows
  2. https://github.com/shivammathur/setup-php/blob/master/.github/workflows/node-release.yml
  3. https://github.com/dassana-io/dassana/blob/main/.github/workflows/publish-ut-coverage.yaml

Try it out

Hands-on tutorials to learn how harden-runner prevents software supply chain attacks.