Skip to content

Commit

Permalink
Release v2.4.1 (#309)
Browse files Browse the repository at this point in the history
  • Loading branch information
varunsh-coder authored Jun 20, 2023
1 parent 215c5ca commit 55d479f
Show file tree
Hide file tree
Showing 15 changed files with 496 additions and 86 deletions.
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ GitHub-hosted runner uses passwordless sudo for running jobs.

### 🔔 Get security alerts

Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to get security alerts.
Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to get security alerts.

- Email and Slack notifications are supported
- Notifications are sent when outbound traffic is blocked or source code is overwritten
Expand All @@ -123,11 +123,11 @@ Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app

Private repositories are supported if they have a commercial license. Check out the [documentation](https://docs.stepsecurity.io/harden-runner/installation/business-enterprise-license) for more details.

Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to use Harden-Runner GitHub Action for `Private` repositories.
Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to use Harden-Runner GitHub Action for `Private` repositories.

- If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
- You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.
- [Harden Runner App](https://github.com/marketplace/harden-runner-app) only needs `actions: read` permissions on your repositories.
- [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) only needs `actions: read` permissions on your repositories.

Read this [case study on how Kapiche uses Harden Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their open source and private repositories.

Expand Down
115 changes: 107 additions & 8 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

120 changes: 103 additions & 17 deletions dist/post/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -61147,24 +61147,119 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
});
};


function printInfo(web_url) {
console.log("\x1b[32m%s\x1b[0m", "View security insights and recommended policy at:");
console.log(`${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`);
}
const processLogLine = (line, tableEntries) => {
if (line.includes("pid") &&
line.includes("process") &&
line.includes("domain") &&
line.includes("ip address")) {
const matches = line.match(/ip address:port ([\d.:]+), domain: ([\w.-]+), pid: (\d+), process: (\w+)/);
if (matches) {
const [ipAddress, domain, pid, process] = matches.slice(1);
// Check if all values are non-empty
if (pid && process && domain && ipAddress) {
const status = ipAddress.startsWith("54.185.253.63")
? "❌ Blocked"
: "✅ Allowed";
tableEntries.push({ pid, process, domain, ipAddress, status });
}
}
}
};
function addSummary() {
return __awaiter(this, void 0, void 0, function* () {
if (process.env.STATE_monitorStatusCode === "200") {
const web_url = "https://app.stepsecurity.io";
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
if (process.env.STATE_monitorStatusCode !== "200") {
return;
}
const web_url = "https://app.stepsecurity.io";
const insights_url = `${web_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}`;
const log = "/home/agent/agent.log";
if (!external_fs_.existsSync(log)) {
return;
}
let needsSubscription = false;
try {
let data = external_fs_.readFileSync("/home/agent/annotation.log", "utf8");
if (data.includes("StepSecurity Harden Runner is disabled")) {
needsSubscription = true;
}
}
catch (err) {
//console.error(err);
}
if (needsSubscription) {
yield core.summary.addSeparator()
.addRaw(`<p><picture>
<source media="(prefers-color-scheme: light)" srcset="https://github.com/step-security/harden-runner/raw/main/images/banner.png" width="200">
<img alt="Dark Banner" src="https://github.com/step-security/harden-runner/raw/main/images/banner-dark.png" width="200">
</picture></p>`, true)
.addLink("View security insights and recommended policy", insights_url)
.addRaw(`<h2>❌ GitHub Actions Runtime Security is disabled</h2>`);
yield core.summary.addRaw(`
<p>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a> by StepSecurity in a private repository, but your organization has not signed up for a free trial or a paid subscription.</p>
<p>To start a free trial, install the <a href="https://github.com/apps/stepsecurity-actions-security">StepSecurity Actions Security GitHub App</a> or reach out to us via our <a href="https://www.stepsecurity.io/contact">contact form.</a></p>
`)
.addSeparator()
.write();
return;
}
const content = external_fs_.readFileSync(log, "utf-8");
const lines = content.split("\n");
let tableEntries = [];
for (const line of lines) {
processLogLine(line, tableEntries);
}
if (tableEntries.length === 0) {
return;
}
let insightsRow = `<tr>
<td colspan="3" align="center"><a href="${insights_url}">🛡️ Check out the full report and recommended policy at StepSecurity</a></td>
</tr>`;
yield core.summary.addSeparator().addRaw(`<h2><a href="${insights_url}">StepSecurity Report</a></h2>
<h3>GitHub Actions Runtime Security</h3>`);
tableEntries.sort((a, b) => {
if (a.status === "❌ Blocked" && b.status !== "❌ Blocked") {
return -1;
}
else if (a.status !== "❌ Blocked" && b.status === "❌ Blocked") {
return 1;
}
else {
return 0;
}
});
tableEntries = tableEntries.slice(0, 3);
yield core.summary.addRaw(`
<h3>🌐 Network Events</h3>
<table>
<thead>
<tr>
<th>Process</th>
<th>Endpoint</th>
<th>Status</th>
</tr>
</thead>
<tbody>
${tableEntries
.map((entry) => `<tr>
<td>${entry.process}</td>
<td>${entry.domain.replace(/\.$/, "")}</td>
<td>${entry.status}</td>
</tr>`)
.join("")}
<tr>
<td>...</td>
<td>...</td>
<td>...</td>
</tr>
${insightsRow}
</tbody>
</table>
`);
yield core.summary.addSeparator()
.addRaw(`<blockquote>You are seeing this markdown since this workflow uses the <a href="https://github.com/step-security/harden-runner">Harden-Runner GitHub Action</a>.
Harden-Runner is a security agent for GitHub-hosted runners to block egress traffic & detect code overwrite to prevent breaches.</blockquote>`)
.addSeparator()
.write();
});
}
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
Expand Down Expand Up @@ -61244,7 +61339,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _




(() => cleanup_awaiter(void 0, void 0, void 0, function* () {
if (process.platform !== "linux") {
console.log(UBUNTU_MESSAGE);
Expand Down Expand Up @@ -61287,14 +61381,6 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
var content = external_fs_.readFileSync(status, "utf-8");
console.log(content);
}
// write annotations
var annotationsFile = "/home/agent/annotation.log";
if (external_fs_.existsSync(annotationsFile)) {
var content = external_fs_.readFileSync(annotationsFile, "utf-8");
content.split(/\r?\n/).forEach((line) => {
core.error(line);
});
}
var disable_sudo = process.env.STATE_disableSudo;
if (disable_sudo !== "true") {
var journalLog = external_child_process_.execSync("sudo journalctl -u agent.service", {
Expand Down
2 changes: 1 addition & 1 deletion dist/post/index.js.map

Large diffs are not rendered by default.

Loading

0 comments on commit 55d479f

Please sign in to comment.