You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can use [GitHub Actions Goat](https://github.com/step-security/github-actions-goat) to try Harden-Runner. You only need a GitHub Account and a web browser.
31
+
32
+
Hands-on Tutorials for GitHub Actions Runtime Security:
@@ -72,11 +80,14 @@ Read this [case study](https://infosecwriteups.com/detecting-malware-packages-in
72
80
73
81
### Actions Runner Controller (ARC) Runners
74
82
75
-
- Rather than incorporating the Harden-Runner GitHub Action into each workflow, you'll need to install the ARC Harden Runner daemonset on your Kubernetes cluster.
76
-
- Upon deployment, the ARC Harden Runner daemonset constantly monitors each workflow run; you do NOT need to add the Harden-Runner GitHub Action to each job for `audit` mode.
77
-
- You can access security insights and runtime detections under the Runtime Security tab in your dashboard.
78
-
- You do need to add the Harden-Runner GitHub Action for `block` mode.
79
-
- Explore demo workflows using self-hosted ARC Runner and ARC Harden Runner here: https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security-arc
83
+
> Explore demo workflows using self-hosted ARC Runner and ARC Harden-Runner [here](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security-arc).
84
+
85
+
Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.
86
+
87
+
- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the ARC Harden-Runner daemonset on your Kubernetes cluster.
88
+
- Upon installation, the ARC Harden-Runner daemonset constantly monitors each workflow run; you do NOT need to add the Harden-Runner GitHub Action to each job for `audit` mode. You do need to add the Harden-Runner GitHub Action for `block` mode.
89
+
- You can access security insights and runtime detections under the `Runtime Security` tab in your dashboard.
90
+
80
91
81
92
## Support for ARC and Private Repositories
82
93
@@ -94,21 +105,31 @@ Read this [case study on how Kapiche uses Harden-Runner](https://www.stepsecurit
94
105
95
106
For details, check out the documentation at https://docs.stepsecurity.io
96
107
97
-
### 🚦 Restrict egress traffic to allowed endpoints
108
+
### 👀 Monitor egress traffic
109
+
110
+
> Applies to both GitHub-Hosted and self-hosted ARC Runners
111
+
112
+
Harden-Runner monitors all outbound traffic from each job at the DNS and network layers
113
+
114
+
- After the workflow completes, each outbound call is correlated with each step of the job, and shown in the insights page
115
+
- For ARC Harden-Runner, no changes are needed to workflow files to monitor egress traffic
116
+
- A filtering (block) egress policy is suggested in the insights page based on past job runs
117
+
118
+
### 🚦 Filter egress traffic to allowed endpoints
98
119
99
120
> Applies to both GitHub-Hosted and self-hosted ARC Runners
100
121
101
122
Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store)
102
123
103
-
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
124
+
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4)
104
125
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
105
-
- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`.
126
+
- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`
106
127
107
128
<p align="left">
108
129
<img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" >
109
130
</p>
110
131
111
-
### 🕵️ Detect tampering of source code during build
132
+
### 📁 Detect tampering of source code during build
112
133
113
134
> Applies to both GitHub-Hosted and self-hosted ARC Runners
114
135
@@ -170,7 +191,7 @@ For GitHub-hosted runners, Harden-Runner GitHub Action downloads and installs th
170
191
### GitHub-Hosted Runners
171
192
172
193
1. Only Ubuntu VM is supported. Windows and MacOS GitHub-hosted runners are not supported. There is a discussion about that [here](https://github.com/step-security/harden-runner/discussions/121).
173
-
2. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`. Note: This is not a limitation for ARC HardenRunner. With ARC HardenRunner, you can monitor jobs that run in a container.
194
+
2. Harden-Runner is not supported when [job is run in a container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) as it needs sudo access on the Ubuntu VM to run. It can be used to monitor jobs that use containers to run steps. The limitation is if the entire job is run in a container. That is not common for GitHub Actions workflows, as most of them run directly on `ubuntu-latest`. Note: This is not a limitation for ARC Harden-Runner. With ARC Harden-Runner, you can monitor jobs that run in a container.
0 commit comments