Skip to content

Commit

Permalink
fix: harden harden-runner egress policy (#477)
Browse files Browse the repository at this point in the history
* fix: harden harden-runner egress policy

* doc: add comments

* doc: fix typo
  • Loading branch information
tallaxes authored Sep 5, 2024
1 parent ed0961d commit 501bd69
Show file tree
Hide file tree
Showing 11 changed files with 130 additions and 15 deletions.
6 changes: 5 additions & 1 deletion .github/workflows/approval-comment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/ci-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,22 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
coveralls.io:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
with:
k8sVersion: ${{ matrix.k8sVersion }}
k8sVersion: ${{ matrix.k8sVersion }}
- run: K8S_VERSION=${{ matrix.k8sVersion }} make ci-test
- name: Send coverage
# should only send coverage once https://docs.coveralls.io/parallel-builds
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,25 @@ on:
pull_request:
workflow_dispatch:
permissions:
contents: read
contents: read
jobs:
ci:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
vuln.go.dev:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
Expand Down
15 changes: 14 additions & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,20 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
dc.services.visualstudio.com:443
github.com:443
login.microsoftonline.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
vuln.go.dev:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/deflake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,15 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
storage.googleapis.com:443
sum.golang.org:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.securityscorecards.dev:443
github.com:443
- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/e2e-matrix.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ on:

permissions:
contents: read

jobs:
initialize-generative-params:
runs-on: ubuntu-latest
Expand All @@ -31,7 +31,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
# no allowed endpoints
allowed-endpoints: >
- id: generate-e2e-run-hash
run: |
Expand Down
31 changes: 30 additions & 1 deletion .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,36 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
# - wildcards to allow for variation in targeted clusters
# - clients3.google.com:80 and firebaselogging-pa.googleapis.com:443 - confirmed Skaffold,
# likely telemetry, likely can be avoided/blocked with/after "skaffold config set --global collect-metrics false"
allowed-endpoints: >
*.azmk8s.io:443
*.azurecr.io:443
*.data.mcr.microsoft.com:443
aka.ms:443
api.github.com:443
app.aladdin.microsoft.com:443
auth.docker.io:443
azcliextensionsync.blob.core.windows.net:443
clients3.google.com:80
dc.services.visualstudio.com:443
distroless.dev:443
firebaselogging-pa.googleapis.com:443
gist.githubusercontent.com:443
github.com:443
graph.microsoft.com:443
index.docker.io:443
login.microsoftonline.com:443
management.azure.com:443
mcr.microsoft.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/release-trigger.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/resolve-args.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:

permissions:
contents: read

jobs:
resolve:
runs-on: ubuntu-latest
Expand All @@ -18,7 +18,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-sudo: true
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- if: github.event_name == 'workflow_run'
Expand Down
21 changes: 20 additions & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,26 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-sudo: true
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.osv.dev:443
api.scorecard.dev:443
api.securityscorecards.dev:443
auth.docker.io:443
bestpractices.coreinfrastructure.org:443
fulcio.sigstore.dev:443
github.com:443
index.docker.io:443
mcr.microsoft.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Expand Down

0 comments on commit 501bd69

Please sign in to comment.