-
-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[actions] add step security runner #2659
Conversation
.github/workflows/lint.yml
Outdated
allowed-endpoints: | ||
agent.api.stepsecurity.io:443 | ||
github.com:443 | ||
nodejs.org:443 | ||
registry.npmjs.org:443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there any way an individual step could be annotated rather than broadly allowing every step to access these endpoints?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @ljharb , individual steps are annotated in the web UI/ API (thanks for that idea BTW) and I can detect and alert that a step has called an endpoint it was not supposed to, but technically I cannot stop it from doing so. Configuring the firewall per step would be hard. Let me know if it would be better to just detect and alert at a step level v.s. restricting at a job level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if i use the runner multiple times, and each time, I define a brand new set of allowed endpoints, that only apply to further steps?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thats an interesting idea. I can experiment with it. It might lead to lot of steps that call harden-runner
which may make the workflow file look cluttered. It would be ideal if this could be done without the additional steps. Let me think about it.
with: | ||
allowed-endpoints: | ||
agent.api.stepsecurity.io:443 | ||
github.com:443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for example, the actions/checkout
action both always should be able to access github.com, and also, is the only part of the action that needs to
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I understand what you are saying, and that would be ideal. I wrote about this in the comment above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good; linking it to main
means you can't ever make breaking changes; should it be pointed to a branch or tag?
Any update about per-step allowances?
Pointed it to the latest tag. No update on per-step restriction. Will take more time to address it... |
Hi @ljharb made few updates to the PR.
|
9685ee8
to
399600a
Compare
399600a
to
e609a39
Compare
Could we add this to all the other workflows as well? |
Hi @ljharb would love to add to other workflows. That is also a great opportunity to pilot the automation to add it to workflows. Secure workflows is an open source API to make it easy to add To create PRs via automation, I could write a GitHub App or an OAuth App (or both). I believe that in an OAuth App the access is granted to all repos for a given user. So, I think GitHub App would be preferred for this scenario. Would you be ok to pilot a GitHub app for this? It would need write access to code, workflows, and PRs. It will be open source (part of secure workflows). Please let me know. Thanks! |
I'm a bit confused; can't the PR here just start out setting allowed endpoints to "nothing", and then it would fail, and i could update the list to get the PR to pass? |
I added |
I'm not sure either, don't worry about it tho. |
Hi @ljharb based on the outbound traffic in |
Let's both remove it and set HOMEBREW_NO_ANALYTICS=1 in the env. |
Done |
23691c8
to
4aa8f97
Compare
4aa8f97
to
6cc90a4
Compare
ha, i couldn't figure out why the dockerfile_lint job was failing, but turns out it's the harden runner doing its job: https://github.com/nvm-sh/nvm/compare/4aa8f97c9d9a9df72ab7845e859184c7c932d6d6..6cc90a4b8daa44ad3050828c2bf98fa77a16bf90 |
@varunsh-coder this is another reason why a separate PR status would be super helpful, because then it would be very obvious when a workflow had requests blocked by the harden runner. |
I will work on this. Will also show in annotation in the workflow when a request is blocked. Don't know how I missed those endpoints in the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with: | ||
allowed-endpoints: | ||
agent.api.stepsecurity.io:443 | ||
github.com:443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
**
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Duplicate of #
Duplicate of #
with: | ||
allowed-endpoints: | ||
iojs.org:443 | ||
nodejs.org:443 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.github/workflows/toc.yml
This PR adds the
step-security/harden-runner
GitHub Action to the lint.yml workflow to restrict outbound calls. This is a new GitHub Action that provides runtime security for GitHub hosted runner. As of now, it can be used to set allowed outbound traffic for workflow runs to prevent credential exfiltration. You can see the results of running this on a fork here.@ljharb would love to pilot
step-security/harden-runner
on this workflow to get feedback and improve the experience. Do let me know if you have any questions. Thanks!