GitHub Action
Harden-Runner
Harden-Runner GitHub Action provides Runtime Security for GitHub-Hosted runners and self-hosted Actions Runner Controller (ARC) environments.
Microsoft Explore |
Google Explore |
DataDog Explore |
Intel Explore |
Kubernetes Explore |
Node.js Explore |
OpenPolicyAgent Explore |
Mastercard Explore |
Compromised workflows, dependencies, and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build.
Harden-Runner GitHub Action monitors process, file, and network activity to:
Countermeasure | Prevent Security Breach | |
---|---|---|
1. | Block egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4) to prevent exfiltration of credentials | To prevent Codecov breach scenario |
2. | Detect if source code is being overwritten during the build process to inject a backdoor | To detect SolarWinds incident scenario |
3. | Detect poisoned workflows and compromised dependencies | To detect Dependency confusion and Malicious dependencies |
Read this case study on how Harden-Runner detected malicious packages in the NPM registry.
-
Add
step-security/harden-runner
to your GitHub Actions workflow file as the first step in each job.steps: - uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 with: egress-policy: audit
-
In the workflow logs and the job markdown summary, you will see a link to security insights and recommendations.
-
Click on the link (example link). You will see a process monitor view of network and file events correlated with each step of the job.
-
Under the insights section, you'll find a Recommended Policy. You can either update your workflow file with this Policy, or alternatively, use the Policy Store to apply the policy without modifying the workflow file.
Actions Runner Controller (ARC) and Private repositories are supported with a commercial license. Check out the documentation for more details.
Install the StepSecurity Actions Security GitHub App to use Harden-Runner GitHub Action for Private
repositories.
- If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
- You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.
- StepSecurity Actions Security GitHub App only needs
actions: read
permissions on your repositories.
Read this case study on how Kapiche uses Harden-Runner to improve software supply chain security in their private repositories.
For details, check out the documentation at https://docs.stepsecurity.io
Once allowed endpoints are set in the policy in the workflow file, or in the Policy Store
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
- Blocks outbound traffic using IP tables
- Wildcard domains are supported, e.g. you can add
*.data.mcr.microsoft.com:443
to the allowed list, and egress traffic will be allowed toeastus.data.mcr.microsoft.com:443
andwestus.data.mcr.microsoft.com:443
.
Harden-Runner monitors file writes and can detect if a file is overwritten.
- Source code overwrite is not expected in a release build
- All source code files are monitored, which means even changes to IaC files (Kubernetes manifest, Terraform) are detected
- You can enable notifications to get one-time alert when source code is overwritten
GitHub-hosted runner uses passwordless sudo for running jobs.
- This means compromised build tools or dependencies can install attack tools
- If your job does not need sudo access, you see a policy recommendation to disable sudo in the insights page
- When you set
disable-sudo
totrue
, the job steps run without sudo access to the Ubuntu VM
Install the StepSecurity Actions Security GitHub App to get security alerts.
- Email and Slack notifications are supported
- Notifications are sent when outbound traffic is blocked or source code is overwritten
- Notifications are not repeated for the same alert for a given workflow
If you have questions or ideas, please use discussions. For support for ARC and Private repositories, email info@stepsecurity.io.
For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.
- The code to monitor file, process, and network activity is in the Agent.
- The agent is written in Go and is open source at https://github.com/step-security/agent
- The agent's build is reproducible. You can view the steps to reproduce the build here
- Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that here.
- Harden-Runner is not supported when job is run in a container as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on
ubuntu-latest
.