Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it configurable, if mode is block, to not send telemetry to API #89

Closed
2 tasks done
varunsh-coder opened this issue Feb 7, 2022 · 3 comments · Fixed by #98
Closed
2 tasks done

Make it configurable, if mode is block, to not send telemetry to API #89

varunsh-coder opened this issue Feb 7, 2022 · 3 comments · Fixed by #98

Comments

@varunsh-coder
Copy link
Member

varunsh-coder commented Feb 7, 2022
edited
Loading

When user sets this mode, e.g.

- name: Harden Runner
        uses: step-security/harden-runner@rc
        with:
          egress-policy: block
          disable-telemetry: true
          allowed-endpoints: 
            github.com:443

agent should not make calls to agent.api.stepsecurity.io.
Other allowed-endpoints can still be called.

  • Do not show link - clarify that insights will not be generated
  • Add this attribute to the config
This was referenced Feb 7, 2022
Closed
Merged
@varunsh-coder varunsh-coder changed the title Make it configurable, if mode is block, to not send any insights to API Make it configurable, if mode is block, to not send telemetry to API Feb 10, 2022
@varunsh-coder
Copy link
Member Author

Updated the setting to disable-telemetry instead of send-insights. It should be false by default. It should only take affect if egress-policy is block.

@varunsh-coder
Copy link
Member Author

Hi @wallies, we are making good progress on this issue. Request you to please review the description to ensure it is what you were looking for. Do let us know if you have feedback on the name of the setting. As of now we are going with disable-telemetry.

Also, there are advantages to correlating the telemetry with the build log even in block mode. If an unexpected outbound call is made, it can be correlated with the exact step that made the call. In block mode, information about blocked call is anyways written to the build log. So harden-runner-app can read info from the build log (instead of from telemetry) and correlate it. So, you will be able to see what process made the unexpected call, and in what step it was made in. Do you see any concern with this approach - harden-runner-app reading info about blocked call from build log to generate insights when disable-telemetry is set to true?

@wallies
Copy link

wallies commented Feb 10, 2022

Hi @wallies, we are making good progress on this issue. Request you to please review the description to ensure it is what you were looking for. Do let us know if you have feedback on the name of the setting. As of now we are going with disable-telemetry.

Also, there are advantages to correlating the telemetry with the build log even in block mode. If an unexpected outbound call is made, it can be correlated with the exact step that made the call. In block mode, information about blocked call is anyways written to the build log. So harden-runner-app can read info from the build log (instead of from telemetry) and correlate it. So, you will be able to see what process made the unexpected call, and in what step it was made in. Do you see any concern with this approach - harden-runner-app reading info about blocked call from build log to generate insights when disable-telemetry is set to true?

@varunsh-coder this all looks good so far

This was referenced Feb 11, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Release 1.4.0 step-security/harden-runner
2 participants
@wallies @varunsh-coder