-
Notifications
You must be signed in to change notification settings - Fork 51
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
75ac554
commit aa817ef
Showing
6 changed files
with
37 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,30 +13,29 @@ | |
|
|
||
| </div> | ||
|
|
||
| --- | ||
| ## GitHub Actions Runtime Security | ||
|
|
||
| 🔒 Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to | ||
| Harden-Runner GitHub Action provides Runtime Security for GitHub-Hosted runners and self-hosted Actions Runner Controller (ARC) environments. | ||
|
|
||
| 1. Prevent exfiltration of credentials 🔑 | ||
| 2. Detect tampering of source code during build 🕵️ | ||
| 3. Detect compromised dependencies and build tools 🚨 | ||
| [](https://youtu.be/fpdwX5hYACo) | ||
|
|
||
| ## Explore open source projects using Harden-Runner | ||
|
|
||
| <p align="center"> | ||
| <img src="images/demo.gif" alt="Harden Runner demo"> | ||
| </p> | ||
| | [](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/5559160177) | [](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/5546354505) | [](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/5387101451) | [](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/5579910614) | [](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/5581511101) | [](https://app.stepsecurity.io/github/nodejs/node/actions/runs/5563468674) | [](https://app.stepsecurity.io/github/open-policy-agent/gatekeeper/actions/runs/5578825701) | [](https://app.stepsecurity.io/github/Mastercard/flow/actions/runs/5542112873) | | ||
| | --- | --- | --- | --- | --- | -- | -- | -- | | ||
| | **Microsoft**<br>[Explore](https://app.stepsecurity.io/github/microsoft/ebpf-for-windows/actions/runs/5559160177) | **Google**<br>[Explore](https://app.stepsecurity.io/github/GoogleCloudPlatform/functions-framework-ruby/actions/runs/5546354505) | **DataDog**<br>[Explore](https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/5387101451) | **Intel**<br>[Explore](https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/5579910614) | **Kubernetes**<br>[Explore](https://app.stepsecurity.io/github/kubernetes-sigs/cluster-api-provider-azure/actions/runs/5581511101) | **Node.js**<br>[Explore](https://app.stepsecurity.io/github/nodejs/node/actions/runs/5563468674) | **OpenPolicyAgent**<br>[Explore](https://app.stepsecurity.io/github/open-policy-agent/gatekeeper/actions/runs/5578825701) | **Mastercard**<br>[Explore](https://app.stepsecurity.io/github/Mastercard/flow/actions/runs/5542112873) | | ||
|
|
||
| ## Why | ||
|
|
||
| Compromised dependencies and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build. | ||
| Compromised workflows, dependencies, and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build. | ||
|
|
||
| Harden-Runner GitHub Actions installs a daemon that monitors process, file, and network activity to: | ||
| Harden-Runner GitHub Action monitors process, file, and network activity to: | ||
|
|
||
| | | Countermeasure | Threat | | ||
| | | Countermeasure | Prevent Security Breach | | ||
| | --- | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | 1. | Block outbound calls that are not in the allowed list to prevent exfiltration of credentials | To prevent [Codecov breach](https://github.com/step-security/attack-simulator/blob/main/docs/RestrictOutboundTraffic.md) scenario | | ||
| | 2. | Detect if source code is being overwritten during the build process to inject a backdoor | To detect [SolarWinds incident scenario](https://github.com/step-security/attack-simulator/blob/main/docs/MonitorSourceCode.md) | | ||
| | 3. | Detect compromised dependencies that make unexpected outbound network calls | To detect [Dependency confusion](https://github.com/step-security/attack-simulator/blob/main/docs/DNSExfiltration.md) and [Malicious dependencies](https://github.com/step-security/attack-simulator/blob/main/docs/CompromisedDependency.md) | | ||
| | 1. | Block egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4) to prevent exfiltration of credentials | To prevent [Codecov breach](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md) scenario | | ||
| | 2. | Detect if source code is being overwritten during the build process to inject a backdoor | To detect [SolarWinds incident](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/TamperingDuringBuild.md) scenario | | ||
| | 3. | Detect poisoned workflows and compromised dependencies | To detect [Dependency confusion](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md#dependency-confusion-attacks) and [Malicious dependencies](https://github.com/step-security/github-actions-goat/blob/main/docs/Vulnerabilities/ExfiltratingCICDSecrets.md#compromised-dependencies) | | ||
|
|
||
| Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in-github-actions-7b93a9985635) on how Harden-Runner detected malicious packages in the NPM registry. | ||
|
|
||
|
|
@@ -51,40 +50,48 @@ Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in | |
| egress-policy: audit | ||
| ``` | ||
| 2. In the workflow logs, you will see a link to security insights and recommendations. | ||
| 2. In the workflow logs and the job markdown summary, you will see a link to security insights and recommendations. | ||
| <p align="left"> | ||
| <img src="images/buildlog1.png" alt="Link in build log" > | ||
| </p> | ||
| 3. Click on the link ([example link](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2265028928)). You will see a process monitor view of file and network activities correlated with each step of the job. These insights hold significant value for forensic investigations, proving crucial in the event of an incident. | ||
| 3. Click on the link ([example link](https://app.stepsecurity.io/github/microsoft/msquic/actions/runs/5577342236)). You will see a process monitor view of network and file events correlated with each step of the job. | ||
| <p align="left"> | ||
| <img src="images/insights2.png" alt="Insights from harden-runner" > | ||
| <img src="images/Insights4.png" alt="Insights from harden-runner" > | ||
| </p> | ||
| 4. Under the insights section, you'll find a suggested policy. You can either update your workflow file with this policy, or alternatively, use the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) to apply the policy without modifying the workflow file. | ||
| 4. Under the insights section, you'll find a Recommended Policy. You can either update your workflow file with this Policy, or alternatively, use the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) to apply the policy without modifying the workflow file. | ||
| <p align="left"> | ||
| <img src="images/rec-policy1.png" alt="Policy recommended by harden-runner" > | ||
| </p> | ||
| ## Support for ARC and Private Repositories | ||
| Actions Runner Controller (ARC) and Private repositories are supported with a commercial license. Check out the [documentation](https://docs.stepsecurity.io/stepsecurity-platform/billing) for more details. | ||
| Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to use Harden-Runner GitHub Action for `Private` repositories. | ||
|
|
||
| - If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public. | ||
| - You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it. | ||
| - [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) only needs `actions: read` permissions on your repositories. | ||
|
|
||
| Read this [case study on how Kapiche uses Harden-Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their private repositories. | ||
|
|
||
| ## Features at a glance | ||
|
|
||
| For details, check out the documentation at https://docs.stepsecurity.io | ||
|
|
||
| <p align="left"> | ||
| <img src="images/main-screenshot1.png" alt="Policy recommended by harden-runner"> | ||
| </p> | ||
| ### 🚦 Restrict egress traffic to allowed endpoints | ||
|
|
||
| Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store) | ||
|
|
||
| - Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4). | ||
| - It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution | ||
| - Blocks outbound traffic using IP tables | ||
| - Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`. | ||
| - Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`. | ||
|
|
||
| <p align="left"> | ||
| <img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" > | ||
|
|
@@ -119,55 +126,19 @@ Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/s | |
| - Notifications are sent when outbound traffic is blocked or source code is overwritten | ||
| - Notifications are not repeated for the same alert for a given workflow | ||
|
|
||
| ## Support for private repositories | ||
|
|
||
| Private repositories are supported if they have a commercial license. Check out the [documentation](https://docs.stepsecurity.io/harden-runner/installation/business-enterprise-license) for more details. | ||
|
|
||
| Install the [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) to use Harden-Runner GitHub Action for `Private` repositories. | ||
|
|
||
| - If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public. | ||
| - You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it. | ||
| - [StepSecurity Actions Security GitHub App](https://github.com/apps/stepsecurity-actions-security) only needs `actions: read` permissions on your repositories. | ||
|
|
||
| Read this [case study on how Kapiche uses Harden Runner](https://www.stepsecurity.io/case-studies/kapiche/) to improve software supply chain security in their open source and private repositories. | ||
|
|
||
| ## Discussions | ||
|
|
||
| If you have questions or ideas, please use [discussions](https://github.com/step-security/harden-runner/discussions). | ||
|
|
||
| 1. [Support for private repositories](https://github.com/step-security/harden-runner/discussions/74) | ||
| 2. [Where should allowed-endpoints be stored?](https://github.com/step-security/harden-runner/discussions/84) | ||
| 3. [Cryptographically verify tools run as part of the CI/ CD pipeline](https://github.com/step-security/harden-runner/discussions/94) | ||
|
|
||
| ## Limitations | ||
|
|
||
| 1. Harden-Runner GitHub Action only works for GitHub-hosted runners. Self-hosted runners are not supported. We have started work on supporting [Kubernetes-Based Self-Hosted Actions Runners](https://github.com/step-security/harden-runner/issues/104). | ||
| 2. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121). | ||
| 3. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`. | ||
|
|
||
| ## Testimonials | ||
|
|
||
| > _I think this is a great idea and for the threat model of build-time, an immediate network egress request monitoring makes a lot of sense_ - [Liran Tal](https://stars.github.com/profiles/lirantal/), GitHub Star, and Author of Essential Node.js Security | ||
|
|
||
| > _Harden-Runner strikes an elegant balance between ease-of-use, maintainability, and mitigation that I intend to apply to all of my 300+ npm packages. I look forward to the tool’s improvement over time_ - [Jordan Harband](https://github.com/ljharb), Open Source Maintainer | ||
|
|
||
| > _Harden runner from Step security is such a nice solution, it is another piece of the puzzle in helping treat the CI environment like production and solving supply chain security. I look forward to seeing it evolve._ - Cam Parry, Staff Site Reliability Engineer, Kapiche | ||
|
|
||
| ## Workflows using harden-runner | ||
|
|
||
| Some important workflows using harden-runner: | ||
| | |Repository |Link to insights| | ||
| |--|----------|----------------| | ||
| |1.|[nvm-sh/nvm](https://github.com/nvm-sh/nvm/blob/master/.github/workflows/lint.yml)|[Link to insights](https://app.stepsecurity.io/github/nvm-sh/nvm/actions/runs/1757959262)| | ||
| |2.|[jsx-eslint/eslint-plugin-react](https://github.com/jsx-eslint/eslint-plugin-react/blob/master/.github/workflows/release.yml)|[Link to insights](https://app.stepsecurity.io/github/yannickcr/eslint-plugin-react/actions/runs/1930818585) | ||
| |3.|[microsoft/msquic](https://github.com/microsoft/msquic/blob/main/.github/workflows/docker-publish.yml)|[Link to insights](https://app.stepsecurity.io/github/microsoft/msquic/actions/runs/1759010243) | ||
| |4.|[ossf/scorecard](https://github.com/ossf/scorecard/blob/main/.github/workflows/codeql-analysis.yml)|[Link to insights](https://app.stepsecurity.io/github/ossf/scorecard/actions/runs/2006162141) | ||
| |5.|[Automattic/vip-go-mu-plugins](https://github.com/Automattic/vip-go-mu-plugins/blob/master/.github/workflows/e2e.yml)|[Link to insights](https://app.stepsecurity.io/github/Automattic/vip-go-mu-plugins/actions/runs/1758760957) | ||
| If you have questions or ideas, please use [discussions](https://github.com/step-security/harden-runner/discussions). For support for ARC and Private repositories, email [email protected]. | ||
|
|
||
| ## How does it work? | ||
|
|
||
| Harden-Runner GitHub Action downloads and installs the StepSecurity Agent. | ||
| For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs the StepSecurity Agent. | ||
|
|
||
| - The code to monitor file, process, and network activity is in the Agent. | ||
| - The agent is written in Go and is open source at https://github.com/step-security/agent | ||
| - The agent's build is reproducible. You can view the steps to reproduce the build [here](http://app.stepsecurity.io/github/step-security/agent/releases/latest) | ||
|
|
||
| ## Limitations for GitHub-Hosted Runners | ||
|
|
||
| 1. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121). | ||
| 2. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`. | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file not shown.
Binary file not shown.