Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: harden harden-runner egress policy #477

Merged
merged 3 commits into from
Sep 5, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/approval-comment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/ci-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,22 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
weinong marked this conversation as resolved.
Show resolved Hide resolved
api.github.com:443
coveralls.io:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
with:
k8sVersion: ${{ matrix.k8sVersion }}
k8sVersion: ${{ matrix.k8sVersion }}
- run: K8S_VERSION=${{ matrix.k8sVersion }} make ci-test
- name: Send coverage
# should only send coverage once https://docs.coveralls.io/parallel-builds
Expand Down
14 changes: 12 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,25 @@ on:
pull_request:
workflow_dispatch:
permissions:
contents: read
contents: read
jobs:
ci:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
vuln.go.dev:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
Expand Down
15 changes: 14 additions & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,20 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
dc.services.visualstudio.com:443
github.com:443
login.microsoftonline.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
vuln.go.dev:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
Expand Down
10 changes: 9 additions & 1 deletion .github/workflows/deflake.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,15 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
storage.googleapis.com:443
sum.golang.org:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: ./.github/actions/install-deps
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,14 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.securityscorecards.dev:443
github.com:443

- name: 'Checkout Repository'
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/e2e-matrix.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ on:

permissions:
contents: read

jobs:
initialize-generative-params:
runs-on: ubuntu-latest
Expand All @@ -31,7 +31,11 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
# no allowed endpoints
allowed-endpoints: >
tallaxes marked this conversation as resolved.
Show resolved Hide resolved

- id: generate-e2e-run-hash
run: |
Expand Down
31 changes: 30 additions & 1 deletion .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,36 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
egress-policy: block
# - wildcards to allow for variation in targeted clusters
# - clients3.google.com:80 and firebaselogging-pa.googleapis.com:443 - confirmed Skaffol
tallaxes marked this conversation as resolved.
Show resolved Hide resolved
# likely telemetry, likely can be avoided/blocked with/after "skaffold config set --global collect-metrics false"
allowed-endpoints: >
*.azmk8s.io:443
*.azurecr.io:443
*.data.mcr.microsoft.com:443
tallaxes marked this conversation as resolved.
Show resolved Hide resolved
aka.ms:443
api.github.com:443
app.aladdin.microsoft.com:443
auth.docker.io:443
azcliextensionsync.blob.core.windows.net:443
clients3.google.com:80
tallaxes marked this conversation as resolved.
Show resolved Hide resolved
dc.services.visualstudio.com:443
distroless.dev:443
firebaselogging-pa.googleapis.com:443
tallaxes marked this conversation as resolved.
Show resolved Hide resolved
gist.githubusercontent.com:443
github.com:443
graph.microsoft.com:443
index.docker.io:443
login.microsoftonline.com:443
management.azure.com:443
mcr.microsoft.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/release-trigger.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,13 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry.npmjs.org:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/resolve-args.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ on:

permissions:
contents: read

jobs:
resolve:
runs-on: ubuntu-latest
Expand All @@ -18,7 +18,12 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-sudo: true
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443

- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- if: github.event_name == 'workflow_run'
Expand Down
21 changes: 20 additions & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,26 @@ jobs:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
disable-sudo: true
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.deps.dev:443
api.github.com:443
api.osv.dev:443
api.scorecard.dev:443
api.securityscorecards.dev:443
auth.docker.io:443
bestpractices.coreinfrastructure.org:443
fulcio.sigstore.dev:443
github.com:443
index.docker.io:443
mcr.microsoft.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443

- name: "Checkout code"
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Expand Down