Software Supply Chain Security

This GitHub Action can be used to visualize process, file, and network activity from your GitHub Actions workflows in a web UI. It can also be used to restrict outbound traffic to allowed endpoints.

Problem

Hijacked dependencies and compromised build tools typically make outbound requests during the build process to exfiltrate data or credentials. This was the case in the Codecov breach, in the dependency confusion attacks, and the recent npm package hijacks.

Solution

First-of-its-kind patent-pending technology that automatically correlates outbound traffic with each step of a workflow.

1. Add step-security/harden-runner to your GitHub Actions workflow file as the first step.

   steps:
     - uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1
       with:
         egress-policy: audit
   

2. In the workflow logs, you will see a link to security insights and recommendations.

   

3. Click on the link (example link). You will see outbound traffic made by each step.

   

4. Below the insights, you will see the recommended policy. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed.

   

When you use egress-policy: block mode, you can also set disable-telemetry: true to not send telemetry to the StepSecurity API.

How past attacks would have been prevented

Hands-on tutorials to learn how harden-runner would have prevented past software supply chain attacks.

Support for private repositories

Install the Harden Runner App if you want to use harden-runner for Private repositories. This App only needs actions: read permissions on your repositories. You can install it on selected repositories, or all repositories in your organization.

Discussions

If you have questions or ideas, please use discussions.

1. Support for private repositories
2. Generation of accurate SBOM (software bill of materials)
3. SLSA Level 1
4. Cryptographically verify tools run as part of the CI/ CD pipeline
5. Performance insights and recommendations

Testimonials

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense - Liran Tal, GitHub Star, and Author of Essential Node.js Security

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time - Jordan Harband, Open Source Maintainer

Harden runner from Step security is such a nice solution, it is another piece of the puzzle in helping treat the CI environment like production and solving supply chain security. I look forward to seeing it evolve. - Cam Parry, Senior Site Reliability Engineer, Kapiche

Workflows using harden-runner

Some important workflows using harden-runner:

	Repository	Link to insights
1.	nvm-sh/nvm	Link to insights
2.	yannickcr/eslint-plugin-react	Link to insights
3.	microsoft/msquic	Link to insights
4.	Automattic/vip-go-mu-plugins	Link to insights
5.	Kapiche/vue-segment-analytics	Link to insights

1-minute Demo Video

https://user-images.githubusercontent.com/25015917/156026587-79356450-9b35-4254-9c2e-7f2cc8d81059.mp4

FAQ

Why do I see calls to api.snapcraft.io?

During pilot, it was observed that unnecessary outbound calls were being made to some domains. All of the outbound calls were due to unnecessary services running on the GitHub Actions hosted-runner VM. These services have been stopped, except for snapd, which makes calls to api.snapcraft.io. You can read more about this issue here. api.snapcraft.io is not needed for your workflow, and does not need to be added to the allowed-endpoints list.