Skip to content

Network egress filtering and runtime security for GitHub-hosted and self-hosted runners

License

Notifications You must be signed in to change notification settings

manish1710-007/harden-runner

Β 
Β 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Dark Banner

Maintained by stepsecurity.io OpenSSF Scorecard License: Apache 2.0

GitHub Actions Runtime Security

Harden-Runner provides runtime security for GitHub-hosted and self-hosted environments.

For self-hosted environments, Harden-Runner supports:

  1. Kubernetes runners setup using Actions Runner Controller (ARC)
  2. Virtual Machine runners (e.g. on EC2) - both ephemeral and persistent runners are supported

Harden Runner Demo

Explore open source projects using Harden-Runner

CISA Microsoft Google DataDog Intel Kubernetes Node.js Mastercard
CISA
Explore
Microsoft
Explore
Google
Explore
DataDog
Explore
Intel
Explore
Kubernetes
Explore
Node.js
Explore
Mastercard
Explore

Hands-On Tutorials

You can use GitHub Actions Goat to try Harden-Runner. You only need a GitHub Account and a web browser.

Hands-on Tutorials for GitHub Actions Runtime Security:

  1. Filter Egress Network Traffic
  2. Detect File Tampering

Why

Compromised workflows, dependencies, and build tools typically make outbound calls to exfiltrate credentials, or may tamper source code, dependencies, or artifacts during the build.

Harden-Runner monitors process, file, and network activity to:

Countermeasure Prevent Security Breach
1. Block egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4) to prevent exfiltration of code and CI/CD credentials To prevent Codecov breach scenario
2. Detect if source code is being tampered during the build process to inject a backdoor To detect SolarWinds incident scenario
3. Detect poisoned workflows and compromised dependencies To detect Dependency confusion and Malicious dependencies

Read this case study on how Harden-Runner detected malicious packages in the NPM registry.

How

GitHub-Hosted Runners

  1. Add step-security/harden-runner GitHub Action to your GitHub Actions workflow file as the first step in each job.

    steps:
      - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
        with:
          egress-policy: audit
  2. In the workflow logs and the job markdown summary, you will see a link to security insights and recommendations.

    Link in build log

  3. Click on the link (example link). You will see a process monitor view of network and file events correlated with each step of the job.

    Insights from harden-runner

  4. Under the insights section, you'll find a Recommended Policy. You can either update your workflow file with this Policy, or alternatively, use the Policy Store to apply the policy without modifying the workflow file.

    Policy recommended by harden-runner

Self-Hosted Actions Runner Controller (ARC) Runners

Explore demo workflows using self-hosted ARC Runner and ARC Harden-Runner here.

Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.

  • Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the ARC Harden-Runner daemonset on your Kubernetes cluster.
  • Upon installation, the ARC Harden-Runner daemonset constantly monitors each workflow run; you do NOT need to add the Harden-Runner GitHub Action to each job for audit mode. You do need to add the Harden-Runner GitHub Action for block mode.
  • You can access security insights and runtime detections under the Runtime Security tab in your dashboard.

Self-Hosted VM Runners (e.g. on EC2)

Explore demo workflows using self-hosted VM Runners and Harden-Runner here.

  • Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer.
  • The Harden-Runner agent monitors each job run on the VM, both ephemeral and persistent runners are supported; you do NOT need to add the Harden-Runner GitHub Action to each job for audit mode. You do need to add the Harden-Runner GitHub Action for block mode.
  • You can access security insights and runtime detections under the Runtime Security tab in your dashboard.

Support for Self-Hosted Runners and Private Repositories

Runtime security for self-hosted runners and private repositories are supported with a commercial license. Check out the documentation for more details.

  • Install the StepSecurity Actions Security GitHub App to use Harden-Runner GitHub Action for Private repositories.
  • If you use Harden-Runner GitHub Action in a private repository, the generated insights URL is NOT public.
  • You need to authenticate first to access insights URL for private repository. Only those who have access to the repository can view it.

Read this case study on how Kapiche uses Harden-Runner to improve software supply chain security in their private repositories.

Features at a glance

For details, check out the documentation at https://docs.stepsecurity.io

πŸ‘€ Monitor egress traffic

Applies to both GitHub-hosted and self-hosted runners

Harden-Runner monitors all outbound traffic from each job at the DNS and network layers

  • After the workflow completes, each outbound call is correlated with each step of the job, and shown in the insights page
  • For self-hosted runners, no changes are needed to workflow files to monitor egress traffic
  • A filtering (block) egress policy is suggested in the insights page based on past job runs

🚦 Filter egress traffic to allowed endpoints

Applies to both GitHub-hosted and self-hosted runners

Once allowed endpoints are set in the policy in the workflow file, or in the Policy Store

  • Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4)
  • It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
  • Wildcard domains are supported, e.g. you can add *.data.mcr.microsoft.com:443 to the allowed list, and egress traffic will be allowed to eastus.data.mcr.microsoft.com:443 and westus.data.mcr.microsoft.com:443

Policy recommended by harden-runner

πŸ“ Detect tampering of source code during build

Applies to both GitHub-hosted and self-hosted runners

Harden-Runner monitors file writes and can detect if a file is overwritten.

  • Source code overwrite is not expected in a release build
  • All source code files are monitored, which means even changes to IaC files (Kubernetes manifest, Terraform) are detected
  • You can enable notifications to get one-time alert when source code is overwritten
  • For self-hosted runners, no changes are needed to workflow files for file monitoring

Policy recommended by harden-runner

🚫 Run your job without sudo access

Applies to GitHub-hosted runners

GitHub-hosted runner uses passwordless sudo for running jobs.

  • This means compromised build tools or dependencies can install attack tools
  • If your job does not need sudo access, you see a policy recommendation to disable sudo in the insights page
  • When you set disable-sudo to true, the job steps run without sudo access to the GitHub-hosted Ubuntu VM

πŸ”” Get security alerts

Applies to both GitHub-hosted and self-hosted runners

Install the StepSecurity Actions Security GitHub App to get security alerts.

  • Email and Slack notifications are supported
  • Notifications are sent when outbound traffic is blocked or source code is overwritten
  • Notifications are not repeated for the same alert for a given workflow

Discussions

  • If you have questions or ideas, please use discussions.
  • For support for self-hosted runners and private repositories, email support@stepsecurity.io.
  • If you use a different CI/CD Provider (e.g. Jenkins, Gitlab CI, etc), and would like to use Harden Runner in your environment, please email interest@stepsecurity.io

How does it work?

GitHub-Hosted Runners

For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs the StepSecurity Agent.

  • The code to monitor file, process, and network activity is in the Agent.
  • The agent is written in Go and is open source at https://github.com/step-security/agent
  • The agent's build is reproducible. You can view the steps to reproduce the build here

Self-Hosted Actions Runner Controller (ARC) Runners

Self-Hosted VM Runners (e.g. on EC2)

  • For self-hosted VMs, you add the Harden-Runner agent into your runner image (e.g. AMI).
  • Agent for self-hosted VMs is NOT open source.

Limitations

GitHub-Hosted Runners

  1. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that here.
  2. Harden-Runner is not supported when job is run in a container as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on ubuntu-latest. Note: This is not a limitation for Self-Hosted runners.

Self-Hosted Actions Runner Controller (ARC) Runners

  1. Since ARC Harden Runner uses eBPF, only Linux jobs are supported. Windows and MacOS jobs are not supported.

Self-Hosted VM Runners (e.g. on EC2)

  1. Only Ubuntu VM is supported. Windows and MacOS jobs are not supported.

About

Network egress filtering and runtime security for GitHub-hosted and self-hosted runners

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 97.4%
  • JavaScript 2.6%