You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=harden-runner)
Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
13
19
14
20
1. Prevent exfiltration of credentials
15
-
2. Detect compromised dependencies and build tools
16
-
3. Detect tampering of source code during build
21
+
2. Detect tampering of source code during build
22
+
3. Detect compromised dependencies and build tools
23
+
17
24
18
25
<palign="left">
19
-
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/HardenRunnerGIFV.gif" alt="Demo using GIF" >
20
-
</p>
26
+
<imgsrc="images/main-screenshot1.png"alt="Policy recommended by harden-runner">
27
+
</p>
21
28
22
29
## Why
23
30
24
-
Compromised dependencies and build tools typically make outbound calls to exfiltrate data or credentials, or may tamper source code, dependencies, or artifacts during the build.
31
+
Compromised dependencies and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build.
25
32
26
33
Harden-Runner GitHub Actions installs a daemon that monitors process, file, and network activity to:
| 1. | Block outbound calls that are not in the allowed list to prevent exfiltration of credentials | To prevent [Codecov breach](https://github.com/step-security/supply-chain-goat/blob/main/RestrictOutboundTraffic.md) scenario |
31
-
| 2. | Detect if source code is being overwritten during the build process to inject a backdoor | To detect [SolarWinds incident scenario](https://github.com/step-security/supply-chain-goat/blob/main/MonitorSourceCode.md)|
32
-
| 3. | Detect compromised dependencies that make unexpected outbound network calls | To detect [Dependency confusion](https://github.com/step-security/supply-chain-goat/blob/main/DNSExfiltration.md) and [Malicious dependencies](https://github.com/step-security/supply-chain-goat/blob/main/CompromisedDependency.md)|
37
+
| 1. | Block outbound calls that are not in the allowed list to prevent exfiltration of credentials | To prevent [Codecov breach](https://github.com/step-security/attack-simulator/blob/main/docs/RestrictOutboundTraffic.md) scenario |
38
+
| 2. | Detect if source code is being overwritten during the build process to inject a backdoor | To detect [SolarWinds incident scenario](https://github.com/step-security/attack-simulator/blob/main/docs/MonitorSourceCode.md)|
39
+
| 3. | Detect compromised dependencies that make unexpected outbound network calls | To detect [Dependency confusion](https://github.com/step-security/attack-simulator/blob/main/docs/DNSExfiltration.md) and [Malicious dependencies](https://github.com/step-security/attack-simulator/blob/main/docs/CompromisedDependency.md)|
33
40
34
41
Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in-github-actions-7b93a9985635) on how Harden-Runner detected malicious packages in the NPM registry.
35
42
@@ -46,30 +53,71 @@ Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in
46
53
47
54
2. In the workflow logs, you will see a link to security insights and recommendations.
48
55
49
-
<p align="left">
50
-
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/ActionLog.png" alt="Link in build log" >
51
-
</p>
56
+
<p align="left">
57
+
<img src="images/buildlog1.png" alt="Link in build log" >
58
+
</p>
52
59
53
-
3. Click on the link ([example link](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2265028928)). You will see a process monitor view of what activities happened as part of each step.
60
+
3. Click on the link ([example link](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2265028928)). You will see a process monitor view of file and network activities correlated with each step of the job.
54
61
55
-
<p align="left">
56
-
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/OutboundCalls2.png" alt="Insights from harden-runner" >
57
-
</p>
62
+
<p align="left">
63
+
<img src="images/insights2.png" alt="Insights from harden-runner" >
64
+
</p>
65
+
66
+
4. Below the insights, you will see the recommended policy. Update your workflow file with the recommended policy.
67
+
68
+
<p align="left">
69
+
<img src="images/rec-policy1.png" alt="Policy recommended by harden-runner" >
70
+
</p>
58
71
59
-
4. Below the insights, you will see the recommended policy. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed. When you use `egress-policy: block` mode, you can also set `disable-telemetry: true` to not send telemetry to the StepSecurity API.
72
+
## Features at a glance
73
+
74
+
For details, check out the documentation at https://docs.stepsecurity.io
75
+
76
+
### Restrict egress traffic to allowed endpoints
77
+
78
+
Once allowed endpoints are set in the workflow file,
79
+
80
+
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
81
+
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
82
+
- Blocks outbound traffic using IP tables
60
83
61
84
<p align="left">
62
-
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/RecomPolicy1.png" alt="Policy recommended by harden-runner" >
85
+
<img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" >
63
86
</p>
64
87
65
-
5. If outbound network call is made to an endpoint not in the allowed list or if source code is tampered, you will see an annotation in the workflow run.
88
+
### Detect tampering of source code during build
89
+
90
+
Harden-Runner monitors file writes and can detect if a file is overwritten.
91
+
92
+
- Source code overwrite is not expected in a release build
93
+
- All source code files are monitored, which means even changes to IaC files (Kubernetes manifest, Terraform) are detected
94
+
- You can enable notifications to get one-time alert when source code is overwritten
66
95
67
96
<p align="left">
68
-
<img src="https://github.com/step-security/supply-chain-goat/blob/main/images/harden-runner/SourceCodeOverwrite.png" alt="Policy recommended by harden-runner" >
97
+
<img src="images/fileoverwrite.png" alt="Policy recommended by harden-runner" >
69
98
</p>
70
99
100
+
### Run your job without sudo access
101
+
102
+
GitHub-hosted runner uses passwordless sudo for running jobs.
103
+
104
+
- This means compromised build tools or dependencies can install attack tools
105
+
- If your job does not need sudo access, you see a policy
106
+
recommendation to disable sudo in the insights page
107
+
- When you set `disable-sudo` to `true`, the job steps run without sudo access to the Ubuntu VM
108
+
109
+
### Get security alerts
110
+
111
+
Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to get security alerts.
112
+
113
+
- Email and Slack notifications are supported
114
+
- Notifications are sent when outbound traffic is blocked or source code is overwritten
115
+
- Notifications are not repeated for the same alert for a given workflow
116
+
71
117
## Support for private repositories
72
118
119
+
Private repositories are supported if they have a commercial license. Check out the [documentation](https://docs.stepsecurity.io/harden-runner/installation/business-enterprise-license) for more details.
120
+
73
121
Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to use Harden-Runner GitHub Action for `Private` repositories.
74
122
75
123
- If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
@@ -90,8 +138,7 @@ If you have questions or ideas, please use [discussions](https://github.com/step
90
138
91
139
1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported.
92
140
2. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
93
-
3. Detecting overwriting of source code only checks for a subset of file extensions right now. These files extensions are ".c", ".cpp", ".cs", ".go", ".java". We will be adding more extensions and options around detecting overwriting of source code in future releases.
94
-
4. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`.
141
+
3. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`.
95
142
96
143
## Testimonials
97
144
@@ -107,7 +154,7 @@ Some important workflows using harden-runner:
107
154
| |Repository |Link to insights|
108
155
|--|----------|----------------|
109
156
|1.|[nvm-sh/nvm](https://github.com/nvm-sh/nvm/blob/master/.github/workflows/lint.yml)|[Link to insights](https://app.stepsecurity.io/github/nvm-sh/nvm/actions/runs/1757959262)|
110
-
|2.|[yannickcr/eslint-plugin-react](https://github.com/yannickcr/eslint-plugin-react/blob/master/.github/workflows/release.yml)|[Link to insights](https://app.stepsecurity.io/github/yannickcr/eslint-plugin-react/actions/runs/1930818585)
157
+
|2.|[jsx-eslint/eslint-plugin-react](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/.github/workflows/release.yml)|[Link to insights](https://app.stepsecurity.io/github/yannickcr/eslint-plugin-react/actions/runs/1930818585)
111
158
|3.|[microsoft/msquic](https://github.com/microsoft/msquic/blob/main/.github/workflows/docker-publish.yml)|[Link to insights](https://app.stepsecurity.io/github/microsoft/msquic/actions/runs/1759010243)
112
159
|4.|[ossf/scorecard](https://github.com/ossf/scorecard/blob/main/.github/workflows/codeql-analysis.yml)|[Link to insights](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2006162141)
113
160
|5.|[Automattic/vip-go-mu-plugins](https://github.com/Automattic/vip-go-mu-plugins/blob/master/.github/workflows/e2e.yml)|[Link to insights](https://app.stepsecurity.io/github/Automattic/vip-go-mu-plugins/actions/runs/1758760957)
@@ -118,8 +165,4 @@ Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
118
165
119
166
- The code to monitor file, process, and network activity is in the Agent.
120
167
- The agent is written in Go and is open source at https://github.com/step-security/agent
121
-
- The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest).
- The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest)
0 commit comments