Skip to content

Latest commit

 

History

History
104 lines (67 loc) · 7.32 KB

README.md

File metadata and controls

104 lines (67 loc) · 7.32 KB
Raw

Harden-Runner

harden-runner

Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to

  1. Detect tampering of source code during build
  2. Prevent exfiltration of credentials
  3. Detect compromised dependencies or build tools

Demo using GIF

Why

Hijacked dependencies and compromised build tools typically make outbound requests to exfiltrate data or credentials, or may modify source code, dependencies, or artifacts during the build.

Harden-Runner helps you answer these two important questions:

  1. Is source code being overwritten during the build process to inject a backdoor? (SolarWinds incident scenario)
  2. Are unexpected outbound network calls being made during the workflow? (Codecov breach, Dependency confusion, Malicious dependency scenarios)

How

  1. Add step-security/harden-runner to your GitHub Actions workflow file as the first step in each job. In the pre step, the GitHub Actions installs a daemon that monitors process, file, and network activity.

    steps:
  - uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
    with:
      egress-policy: audit

  2. In the workflow logs, you will see a link to security insights and recommendations.

Link in build log

  1. Click on the link (example link). You will see a process monitor view of what activities happened as part of each step. This currently includes the programs that made outbound calls and did file writes to source code or dependencies.

Insights from harden-runner

  1. Below the insights, you will see the recommended policy. Add the recommended outbound endpoints to your workflow file, and only traffic to these endpoints will be allowed. When you use egress-policy: block mode, you can also set disable-telemetry: true to not send telemetry to the StepSecurity API.

Policy recommended by harden-runner

  1. If outbound network call is made to an endpoint not in the allowed list or if source code is tampered, you will see an annotation in the workflow run.

Policy recommended by harden-runner

Support for private repositories

Install the Harden Runner App if you want to use Harden-Runner GitHub Action for Private repositories.

If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public. You need to authenticate first to access it for private repository. Only those who have access to the repository can view it.

Read this case study on how Kapiche uses Harden Runner to improve software supply chain security in their open source and private repositories.

Harden Runner App only needs actions: read permissions on your repositories. You can install it on selected repositories, or all repositories in your organization.

Discussions

If you have questions or ideas, please use discussions.

  1. Support for private repositories
  2. Where should allowed-endpoints be stored?
  3. Cryptographically verify tools run as part of the CI/ CD pipeline

Limitations

  1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported.
  2. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that here.
  3. Harden-Runner is not supported when job is run in a container as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on ubuntu-latest.

Testimonials

I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense - Liran Tal, GitHub Star, and Author of Essential Node.js Security

Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time - Jordan Harband, Open Source Maintainer

Harden runner from Step security is such a nice solution, it is another piece of the puzzle in helping treat the CI environment like production and solving supply chain security. I look forward to seeing it evolve. - Cam Parry, Staff Site Reliability Engineer, Kapiche

Workflows using harden-runner

Some important workflows using harden-runner:

Repository Link to insights
1. nvm-sh/nvm Link to insights
2. yannickcr/eslint-plugin-react Link to insights
3. microsoft/msquic Link to insights
4. ossf/scorecard Link to insights
5. Automattic/vip-go-mu-plugins Link to insights

1-minute Demo Video

harden-runner.mp4