Skip to content

Commit

Permalink
Merge pull request #416 from step-security/rc-8
Browse files Browse the repository at this point in the history
Release 2.8.0
  • Loading branch information
varunsh-coder authored May 22, 2024
2 parents 9ff9d14 + b9c325d commit f086349
Show file tree
Hide file tree
Showing 7 changed files with 33 additions and 5 deletions.
28 changes: 28 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,34 @@ Once allowed endpoints are set in the policy in the workflow file, or in the [Po
<img src="images/blocked-outbound-call-3.png" alt="Policy recommended by harden-runner" >
</p>

### 📋 View the name and path of every file written during the build process

> Applies to both GitHub-hosted and self-hosted runners

View the name and path of every file that was written during the build process. This feature is supported with a commercial license.

- Harden-Runner tracks every file written to the GitHub Actions working directory during the build process.
- In the insights page in the `File Write Events` tab you can see a file explorer view of each file that was written to.
- Clicking on any file reveals a list of processes that wrote to it, providing complete transparency.

<p align="left">
<img src="images/file-write-events.png" alt="View the name and path of every file written during the build process" >
</p>

### 🔄 View process names and arguments

> Applies to both GitHub-hosted and self-hosted runners

View process names, PIDs, and process arguments. This feature is supported with a commercial license.

- Harden-Runner tracks every process that is run during the build process.
- Clicking on any file reveals a list of processes that wrote to it.
- You can walk up the process tree and view process arguments to understand the build process and detect suspicious activity.

<p align="left">
<img src="images/process-events-3.png" alt="View process names and arguments" >
</p>

### 📁 Detect tampering of source code during build

> Applies to both GitHub-hosted and self-hosted runners
Expand Down
4 changes: 2 additions & 2 deletions dist/pre/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/pre/index.js.map

Large diffs are not rendered by default.

Binary file added images/file-write-events.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/process-events-3.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion src/checksum.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ export function verifyChecksum(downloadPath: string, is_tls: boolean) {

if (is_tls) {
expectedChecksum =
"e0cd0f0da1ac48df713acd8c4f0e591274de0f2c251b8526cf956c654f024ec2"; // checksum for tls_agent
"846ae66c6cfab958fe61736cec0b58bdb7651b36af04c279405c7114675d7033"; // checksum for tls_agent
}

if (checksum !== expectedChecksum) {
Expand Down
2 changes: 1 addition & 1 deletion src/setup.ts
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ interface MonitorResponse {

if (await isTLSEnabled(context.repo.owner)) {
downloadPath = await tc.downloadTool(
"https://packages.stepsecurity.io/github-hosted/harden-runner_1.1.3_linux_amd64.tar.gz"
"https://packages.stepsecurity.io/github-hosted/harden-runner_1.2.0_linux_amd64.tar.gz"
);
verifyChecksum(downloadPath, true); // NOTE: verifying tls_agent's checksum, before extracting
} else {
Expand Down

0 comments on commit f086349

Please sign in to comment.