koalalab-inc · raianand · Apr 2, 2024 · Apr 1, 2024 · Apr 2, 2024 · Apr 2, 2024
diff --git a/.flake8 b/.flake8
@@ -0,0 +1,2 @@
+[flake8]
+max-line-length = 120
diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml
@@ -30,11 +30,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4 | 1567,v4.1.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # actions/setup-node@v4 | v4.0.2
         with:
           node-version-file: .node-version
           cache: npm
@@ -62,7 +62,7 @@ jobs:
       - if: ${{ failure() && steps.diff.outcome == 'failure' }}
         name: Upload Artifact
         id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # actions/upload-artifact@v4 | v4.3.1
         with:
           name: dist
           path: dist/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,11 +17,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4 | 1567,v4.1.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # actions/setup-node@v4 | v4.0.2
         with:
           node-version-file: .node-version
           cache: npm
@@ -49,4 +49,4 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4 | 1567,v4.1.1
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -19,13 +19,13 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4 | 1567,v4.1.1
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # actions/setup-node@v4 | v4.0.2
         with:
           node-version-file: .node-version
           cache: npm
@@ -36,7 +36,7 @@ jobs:
 
       - name: Lint Codebase
         id: super-linter
-        uses: super-linter/super-linter/slim@v6
+        uses: super-linter/super-linter/slim@e0fc164bba85f4b58c6cd17ba1dfd435d01e8a06 # super-linter/super-linter/slim@v6
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: dist/**/*

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,7 +18,16 @@ jobs:
       arch: x86_64
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # actions/checkout@v4 | 1567,v4.1.1
+      - name: Get release version
+        id: releaseVersion
+        run: echo "releaseVersion=\"$(awk -F\' '/const releaseVersion/ { print $2 }' src/version.js)\"" >> "$GITHUB_ENV"
+      - name: Check if releaseVersion is same as tag
+        run: |
+          if [ "${{ env.tag }}" != "${{ env.releaseVersion }}" ]; then
+            echo "releaseVersion does not match the tag"
+            exit 1
+          fi
       - name: Fetch MITM-Proxy
         run: |
           mkdir -p mitmproxy
@@ -31,11 +40,11 @@ jobs:
           rm -rf mitmproxy bolt
           rm mitmproxy-10.2.2-linux-x86_64.tar.gz
       - name: Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # softprops/action-gh-release@v2
         with:
           files: bolt-${{ env.tag }}-${{ env.os }}-${{ env.arch }}.tar.gz
           tag_name: ${{ env.tag }}
           name: ${{ env.tag }}
           generate_release_notes: true
           token: ${{ secrets.GITHUB_TOKEN }}
-
+          prerelease: ${{ endsWith(env.tag, 'rc') }}
diff --git a/README.md b/README.md
@@ -1,5 +1,4 @@
-![Bolt](assets/imgs/bolt-header-light.png#gh-light-mode-only)
-![Bolt](assets/imgs/bolt-header-dark.png#gh-dark-mode-only)
+![Bolt](assets/imgs/bolt-header-dark.png)
 ## Secure GitHub actions with 1 line of code
 Add this step to jobs in your GitHub workflow file(s) to secure your runner:
 ```yaml
@@ -42,6 +41,8 @@ You can configuree the Bolt action using inputs. Here is an example of how to co
       mode: 'audit'
       default_policy: 'block-all'
       allow_http: 'false'
+      trusted_github_accounts: |
+        - 'akto-api-security'
       egress_rules: |
         - name: 'Allow GitHub subs'
           destination: '*.github.com'
@@ -52,6 +53,7 @@ You can configuree the Bolt action using inputs. Here is an example of how to co
 | `mode` | Configure the mode of operation for the Bolt gateway. It can be `audit` or `active`. Default: `audit` |
 | `default_policy` | It can be either `block-all` or `allow-all`. Default: `block-all` |
 | `allow_http` | Whether to allow non-secure HTTP requests or not. Default: `false`
+| `trusted_github_accounts` | A list of trusted GitHub accounts.  Default: `[]`. The account in which workflow is running will always be trusted.
 | `egress_rules` | A list of custom egress rules to be applied. Default: `[]`.
 
 ## Custom Egress Policy
@@ -91,23 +93,69 @@ It is an ordered list of rules. The first rule that matches the destination will
 ## Report
 Once the job is over, bolt will add a egress traffic report to the job summary. The report will show the egress traffic and the rules that were applied. A sample report is shown below.
 
-### Egress Report - powered by Bolt
-#### Bolt Configuration
-
-|Option | Value |
-|---|---|
-| Mode | audit |
-| Default Policy | block-all |
-| Allow HTTP | false |
-
-#### Custom Egress Rules
-```yaml
-- name: 'Allow ifconfig.me'
-  action: 'allow'
-  destinatiom: 'ifconfig.me'
-```
-#### Egress Traffic
-> [!NOTE]
->
-> Running in Audit mode. Unverified destinations will be blocked in Active mode.
-<table><tr><th>Destination</th><th>Scheme</th><th>Rule</th><th>Action</th></tr><tr><td>github.com</td><td>https</td><td>Reqd by GitHub Action</td><td>✅</td></tr><tr><td>packages.microsoft.com</td><td>https</td><td>Default Policy - block-all</td><td>Unknown Destination</td></tr><tr><td>results-receiver.actions.githubusercontent.com</td><td>https</td><td>Reqd by GitHub Action</td><td>✅</td></tr><tr><td>ppa.launchpadcontent.net</td><td>https</td><td>Default Policy - block-all</td><td>Unknown Destination</td></tr><tr><td>esm.ubuntu.com</td><td>https</td><td>Default Policy - block-all</td><td>Unknown Destination</td></tr><tr><td>azure.archive.ubuntu.com</td><td>http</td><td>allow_http is False</td><td>Unknown Destination</td></tr><tr><td>www.google.com</td><td>https</td><td>Default Policy - block-all</td><td>Unknown Destination</td></tr><tr><td>ifconfig.me</td><td>https</td><td>Allow ifconfig.me</td><td>✅</td></tr><tr><td>pipelinesghubeus6.actions.githubusercontent.com</td><td>https</td><td>Reqd by GitHub Action</td><td>✅</td></tr></table>
+<hr>
+
+<h2>⚡ Egress Report - powered by Bolt</h2>
+
+<details open>
+  <summary>
+<h3>🛠️ Bolt Configuration</h3>
+
+  </summary>
+<table><tr><td>Mode</td><td>audit</td></tr><tr><td>Allow HTTP</td><td>false</td></tr><tr><td>Default Policy</td><td>block-all</td></tr></table>
+
+</details>
+
+<details open>
+  <summary>
+    <h4>🔒 Trusted Github Accounts</h4>
+
+  </summary>
+  <table><tr><th>Github Account</th></tr><tr><td>akto-api-security</td></tr></table>
+
+</details>
+      <blockquote>NOTE: The account in which workflow runs is always trusted.</blockquote>
+<h3>📝 Egress rules</h3>
+<pre lang="yaml"><code>- destination: google.com
+  action: block
+  name: Block Google
+- destination: ifconfig.me
+  action: allow
+  name: Allow ifconfig.me</code></pre>
+<h3>🚨 Requests to untrusted GitHub accounts found</h3>
+
+> [!CAUTION]
+> If you do not recognize these GitHub Accounts, you may want to investigate further. Add them to your trusted GitHub accounts if this is expected. See [Docs](https://github.com/koalalab-inc/bolt?tab=readme-ov-file#configure) for more information.
+
+<details open>
+  <summary>
+    razorpay
+  </summary>
+  <ul>
+    <li>/orgs/razorpay/repos</li>
+  </ul>
+</details>
+        <h3>Egress Traffic</h3>
+<blockquote>NOTE: Running in Audit mode. Unknown/unverified destinations will be blocked in Active mode.</blockquote>
+
+<details open>
+  <summary>
+<h4>🚨 Unknown Destinations</h4>
+
+  </summary>
+<table><tr><th>Destination</th><th>Scheme</th><th>Rule</th><th>Action</th></tr><tr><td>www.google.com</td><td>https</td><td>Default Policy - block-all</td><td>Unknown Destination</td></tr></table>
+
+</details>
+
+<details>
+  <summary>
+<h4>✅ Known Destinations</h4>
+
+  </summary>
+<table><tr><th>Destination</th><th>Scheme</th><th>Rule</th><th>Action</th></tr><tr><td>github.com</td><td>https</td><td>Reqd by Github Action</td><td>✅</td></tr><tr><td>pipelinesghubeus6.actions.githubusercontent.com</td><td>https</td><td>Reqd by Github Action</td><td>✅</td></tr><tr><td>results-receiver.actions.githubusercontent.com</td><td>https</td><td>Reqd by Github Action</td><td>✅</td></tr><tr><td>ifconfig.me</td><td>https</td><td>Allow ifconfig.me</td><td>✅</td></tr><tr><td>api.github.com</td><td>https</td><td>Reqd by Github Action</td><td>✅</td></tr></table>
+
+</details>
+    <a href="https://www.koalalab.com">View detailed analysis of this run on Koalalab!</a>
+<hr>
+
+This report was generated using this workflow file: [bolt-sample.yml](examples/bolt.yml)
diff --git a/__tests__/index.test.js b/__tests__/index.test.js
@@ -10,9 +10,17 @@ jest.mock('../src/main', () => ({
 }))
 
 describe('index', () => {
-  it('calls run when imported', async () => {
-    require('../src/index')
+  it('calls run when imported on linux', async () => {
+    const { init } = require('../src/index')
+    init('linux', 'x64')
 
     expect(run).toHaveBeenCalled()
   })
+
+  it('fails when imported on platform other than linux', async () => {
+    const { init } = require('../src/index')
+    init('darwin', 'x64')
+
+    expect(run).not.toHaveBeenCalled()
+  })
 })
diff --git a/action.yml b/action.yml
@@ -18,6 +18,10 @@ inputs:
     description: 'Default policy for egress traffic - allow-all or block-all'
     required: false
     default: 'block-all'
+  trusted_github_accounts:
+    description: 'Trusted Github accounts'
+    required: false
+    default: '[]'
   egress_rules:
     description: 'Egress rules'
     required: false

diff --git a/badges/coverage.svg b/badges/coverage.svg