Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add step-security insights url in job summary #227

Merged
merged 11 commits into from
Jan 13, 2023
Merged

Add step-security insights url in job summary #227

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
4695598
Add step-security insights url in job summary (#214)
h0x0er Jan 9, 2023
63fa45a
Update markdown
varunsh-coder Jan 9, 2023
9465c0f
Update dist
varunsh-coder Jan 9, 2023
38e1deb
Update text
varunsh-coder Jan 9, 2023
e6069cd
Add separator
varunsh-coder Jan 9, 2023
6e9a854
Remove link icon
varunsh-coder Jan 10, 2023
e00bdf1
Add try catch block
varunsh-coder Jan 11, 2023
c3d7e3d
Update dist
varunsh-coder Jan 11, 2023
e18f18b
Update version and upgrade json5
varunsh-coder Jan 11, 2023
5db743a
Update test case
varunsh-coder Jan 12, 2023
f7b5916
Add test workflow
varunsh-coder Jan 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
@@ -0,0 +1,36 @@
name: Test
on:
pull_request:
branches:
- main
push:
branches:
- main # to update code coverage

permissions: # added using https://github.com/step-security/secure-workflows
contents: read
concurrency:
group: ${{ github.workflow }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v2.0.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
codecov.io:443
github.com:443
registry.npmjs.org:443
storage.googleapis.com:443
uploader.codecov.io:443

- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Install Dependencies
run: npm ci
- name: Run coverage
run: npm test -- --coverage
- uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2.1.0
36 changes: 30 additions & 6 deletions dist/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map
View file
Open in desktop

Large diffs are not rendered by default.

33 changes: 31 additions & 2 deletions dist/post/index.js
View file
Open in desktop
Expand Up @@ -61006,10 +61006,33 @@ var external_child_process_ = __nccwpck_require__(3129);
// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
var lib_core = __nccwpck_require__(2186);
;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};

function printInfo(web_url) {
console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
}
function addSummary() {
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_monitorStatusCode === "200") {
const web_url = "https://app.stepsecurity.io";
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
yield lib_core.summary.addSeparator()
.addImage("https://github.com/step-security/harden-runner/raw/main/images/banner.png", "StepSecurity Harden-Runner", { width: "200" })
.addLink("View security insights and recommended policy", insights_url)
.addSeparator()
.write();
}
});
}
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";

Expand Down Expand Up @@ -61055,7 +61078,7 @@ var auth = __nccwpck_require__(5526);
// EXTERNAL MODULE: external "crypto"
var external_crypto_ = __nccwpck_require__(6417);
;// CONCATENATED MODULE: ./src/cache.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
var cache_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
Expand Down Expand Up @@ -61107,7 +61130,7 @@ function getCacheVersion(paths, compressionMethod) {
return crypto.createHash("sha256").update(components.join("|")).digest("hex");
}
function getCacheEntry(keys, paths, options) {
return __awaiter(this, void 0, void 0, function* () {
return cache_awaiter(this, void 0, void 0, function* () {
const httpClient = createHttpClient();
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod);
const resource = `cache?keys=${encodeURIComponent(keys.join(","))}&version=${version}`;
Expand Down Expand Up @@ -61232,6 +61255,12 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(exception);
}
}
try {
yield addSummary();
}
catch (exception) {
console.log(exception);
}
}))();
function sleep(ms) {
return new Promise((resolve) => {
Expand Down
2 changes: 1 addition & 1 deletion dist/post/index.js.map
View file
Open in desktop

Large diffs are not rendered by default.

72 changes: 52 additions & 20 deletions dist/pre/index.js
View file
Open in desktop
Expand Up @@ -14111,7 +14111,7 @@ var __webpack_exports__ = {};
__nccwpck_require__.r(__webpack_exports__);

// EXTERNAL MODULE: ./node_modules/@actions/core/lib/core.js
var core = __nccwpck_require__(2186);
var lib_core = __nccwpck_require__(2186);
// EXTERNAL MODULE: external "child_process"
var external_child_process_ = __nccwpck_require__(3129);
// EXTERNAL MODULE: external "fs"
Expand All @@ -14135,10 +14135,34 @@ const stringify = dist.stringify;
const parse = dist.parse;

;// CONCATENATED MODULE: ./src/common.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};

function printInfo(web_url) {
console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
}
function addSummary() {
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_monitorStatusCode === "200") {
const web_url = "https://app.stepsecurity.io";
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
yield core.summary
.addSeparator()
.addImage("https://github.com/step-security/harden-runner/raw/main/images/banner.png", "StepSecurity Harden-Runner", { width: "200" })
.addLink("View security insights and recommended policy", insights_url)
.addSeparator()
.write();
}
});
}
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";

Expand All @@ -14157,9 +14181,9 @@ function verifyChecksum(downloadPath) {
.digest("hex"); // checksum of downloaded file
const expectedChecksum = "79f397360470d6e42c73d6c9c5cf485ac9982e56e3e3fdd07f66c59cda4388c8"; // checksum for v0.12.1
if (checksum !== expectedChecksum) {
core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
lib_core.setFailed(`Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`);
}
core.debug("Checksum verification passed.");
lib_core.debug("Checksum verification passed.");
}

;// CONCATENATED MODULE: external "node:fs"
Expand Down Expand Up @@ -14197,10 +14221,12 @@ function isDocker() {

// EXTERNAL MODULE: ./node_modules/@actions/github/lib/github.js
var github = __nccwpck_require__(5438);
// EXTERNAL MODULE: external "os"
var external_os_ = __nccwpck_require__(2087);
// EXTERNAL MODULE: ./node_modules/@actions/http-client/lib/auth.js
var auth = __nccwpck_require__(5526);
;// CONCATENATED MODULE: ./src/cache.ts
var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
var cache_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
Expand All @@ -14222,7 +14248,7 @@ function getCacheApiUrl(resource) {
throw new Error("Cache Service Url not found, unable to restore cache.");
}
const url = `${baseUrl}_apis/artifactcache/${resource}`;
core.debug(`Resource Url: ${url}`);
lib_core.debug(`Resource Url: ${url}`);
return url;
}
function createAcceptHeader(type, apiVersion) {
Expand Down Expand Up @@ -14252,7 +14278,7 @@ function getCacheVersion(paths, compressionMethod) {
return external_crypto_.createHash("sha256").update(components.join("|")).digest("hex");
}
function getCacheEntry(keys, paths, options) {
return __awaiter(this, void 0, void 0, function* () {
return cache_awaiter(this, void 0, void 0, function* () {
const httpClient = createHttpClient();
const version = getCacheVersion(paths, options === null || options === void 0 ? void 0 : options.compressionMethod);
const resource = `cache?keys=${encodeURIComponent(keys.join(","))}&version=${version}`;
Expand Down Expand Up @@ -14313,6 +14339,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar




(() => setup_awaiter(void 0, void 0, void 0, function* () {
try {
if (process.platform !== "linux") {
Expand All @@ -14334,11 +14361,11 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
correlation_id: correlation_id,
working_directory: process.env["GITHUB_WORKSPACE"],
api_url: api_url,
allowed_endpoints: core.getInput("allowed-endpoints"),
egress_policy: core.getInput("egress-policy"),
disable_telemetry: core.getBooleanInput("disable-telemetry"),
disable_sudo: core.getBooleanInput("disable-sudo"),
disable_file_monitoring: core.getBooleanInput("disable-file-monitoring"),
allowed_endpoints: lib_core.getInput("allowed-endpoints"),
egress_policy: lib_core.getInput("egress-policy"),
disable_telemetry: lib_core.getBooleanInput("disable-telemetry"),
disable_sudo: lib_core.getBooleanInput("disable-sudo"),
disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"),
private: github.context.payload.repository.private,
};
if (isValidEvent()) {
Expand All @@ -14347,32 +14374,37 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
compressionMethod: CompressionMethod.ZstdWithoutLong,
});
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
lib_core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
}
catch (exception) {
// some exception has occurred.
core.info("Unable to fetch cacheURL");
lib_core.info("Unable to fetch cacheURL");
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
lib_core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
core.setFailed("egress-policy must be either audit or block");
lib_core.setFailed("egress-policy must be either audit or block");
}
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
lib_core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
}
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
core.setFailed("disable-telemetry must be a boolean value");
lib_core.setFailed("disable-telemetry must be a boolean value");
}
if (!confg.disable_telemetry) {
let _http = new lib.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
const resp = yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
if (resp.message.statusCode === 200) {
external_fs_.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${resp.message.statusCode}${external_os_.EOL}`, {
encoding: "utf8",
});
}
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
Expand All @@ -14382,7 +14414,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent");
// Note: to avoid github rate limiting
let token = core.getInput("token");
let token = lib_core.getInput("token");
let auth = `token ${token}`;
const downloadPath = yield tool_cache.downloadTool("https://github.com/step-security/agent/releases/download/v0.12.1/agent_0.12.1_linux_amd64.tar.gz", undefined, auth);
verifyChecksum(downloadPath); // NOTE: verifying agent's checksum, before extracting
Expand Down Expand Up @@ -14429,7 +14461,7 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
}
}
catch (error) {
core.setFailed(error.message);
lib_core.setFailed(error.message);
}
}))();
function sleep(ms) {
Expand Down
2 changes: 1 addition & 1 deletion dist/pre/index.js.map
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 5 additions & 0 deletions jest.config.js
View file
Open in desktop
@@ -0,0 +1,5 @@
/** @type {import('ts-jest/dist/types').InitialOptionsTsJest} */
module.exports = {
preset: 'ts-jest',
testEnvironment: 'node',
};