From 452ceb49ede832adce81906f608560c6626b79d8 Mon Sep 17 00:00:00 2001 From: Tom Willis Date: Fri, 21 Jun 2024 16:50:23 -0500 Subject: [PATCH 1/4] Add Step Security Hardening auditing for GHA runners --- .github/workflows/auto-merge-dependabot-workflow.yaml | 6 ++++++ .github/workflows/codeql.yaml | 6 ++++++ .github/workflows/labeler.yml | 6 ++++++ .github/workflows/release.yml | 6 ++++++ .github/workflows/tests.yml | 6 ++++++ 5 files changed, 30 insertions(+) diff --git a/.github/workflows/auto-merge-dependabot-workflow.yaml b/.github/workflows/auto-merge-dependabot-workflow.yaml index bd1b72f8..44164386 100644 --- a/.github/workflows/auto-merge-dependabot-workflow.yaml +++ b/.github/workflows/auto-merge-dependabot-workflow.yaml @@ -15,6 +15,12 @@ jobs: is_bot1: ${{ github.actor == 'dependabot[bot]' }} is_bot2: ${{ github.actor == 'dependabot-preview[bot]' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + disable-telemetry: false + - name: Dependabot metadata id: metadata uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 7da51c20..aeb4c1de 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -39,6 +39,12 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + disable-telemetry: false + - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 131f4c5f..e036e717 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,6 +9,12 @@ jobs: labeler: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + disable-telemetry: false + - name: Check out the repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f075b5ce..16a8506f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,12 @@ jobs: name: Release runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + disable-telemetry: false + - name: Check out the repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index e1ea980a..b0ccd42f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -37,6 +37,12 @@ jobs: PRE_COMMIT_COLOR: "always" steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + disable-telemetry: false + - name: Check out the repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 From f1e91f73e3a7528927e492a563440c891f90e130 Mon Sep 17 00:00:00 2001 From: Tom Willis Date: Fri, 21 Jun 2024 16:58:52 -0500 Subject: [PATCH 2/4] Add recommended hardening, so far --- .github/workflows/auto-merge-dependabot-workflow.yaml | 4 +++- .github/workflows/codeql.yaml | 4 ++++ .github/workflows/tests.yml | 8 ++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-merge-dependabot-workflow.yaml b/.github/workflows/auto-merge-dependabot-workflow.yaml index 44164386..5a15a089 100644 --- a/.github/workflows/auto-merge-dependabot-workflow.yaml +++ b/.github/workflows/auto-merge-dependabot-workflow.yaml @@ -18,9 +18,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + disable-sudo: true egress-policy: audit disable-telemetry: false - + allowed-endpoints: > + api.github.com:443 - name: Dependabot metadata id: metadata uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index aeb4c1de..2f4ee8d4 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -42,8 +42,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + disable-sudo: true egress-policy: audit disable-telemetry: false + allowed-endpoints: > + api.github.com:443 + github.com:44 - name: Checkout repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b0ccd42f..7482e292 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref || github.ref_name }} cancel-in-progress: true +permissions: + contents: read + jobs: tests: name: ${{ matrix.session }} ${{ matrix.python }} / ${{ matrix.os }} @@ -40,8 +43,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + disable-sudo: true egress-policy: audit disable-telemetry: false + allowed-endpoints: > + files.pythonhosted.org:443 + github.com:443 + pypi.org:443 - name: Check out the repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 From dbbf6b58626c399256c0ed7cd87aec2ead4d765e Mon Sep 17 00:00:00 2001 From: Tom Willis Date: Fri, 21 Jun 2024 16:59:02 -0500 Subject: [PATCH 3/4] Add recommended hardening, so far --- .github/workflows/benchmark.yaml | 1 + .github/workflows/labeler.yml | 1 + .github/workflows/release.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml index 14f6a9c6..2e11c1e7 100644 --- a/.github/workflows/benchmark.yaml +++ b/.github/workflows/benchmark.yaml @@ -22,6 +22,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + disable-sudo: true egress-policy: audit disable-telemetry: false allowed-endpoints: > diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index e036e717..fdfe9d65 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,6 +12,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + disable-sudo: true egress-policy: audit disable-telemetry: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 16a8506f..3eea7e2b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,7 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: + disable-sudo: true egress-policy: audit disable-telemetry: false From d812b5a73360bd819fde497589f9247c80419e74 Mon Sep 17 00:00:00 2001 From: Tom Willis Date: Fri, 21 Jun 2024 17:10:26 -0500 Subject: [PATCH 4/4] Add ADR --- .../015-github-action-runner-hardening.md | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 docs/architectural_decision_records/015-github-action-runner-hardening.md diff --git a/docs/architectural_decision_records/015-github-action-runner-hardening.md b/docs/architectural_decision_records/015-github-action-runner-hardening.md new file mode 100644 index 00000000..d6545307 --- /dev/null +++ b/docs/architectural_decision_records/015-github-action-runner-hardening.md @@ -0,0 +1,62 @@ +# 15. Use Step Security for GitHub Actions Runner Hardening + +## Date + +2024-06-21 + +## Status + +Approved + +## Context + +Our CI/CD pipelines utilize GitHub Actions to automate builds, tests, and deployments. Ensuring the security of these +pipelines is crucial to protect our codebase and sensitive data from potential security threats. + +## Decision + +Our CI/CD pipelines utilize GitHub Actions to automate builds, tests, and deployments. Ensuring the security of these +pipelines is crucial to protect our codebase and sensitive data from potential security threats. + +## Options Considered + +1. **Do Nothing**: Continue using GitHub Actions without additional security measures. +2. **Custom Security Implementation**: Develop our own security hardening scripts and policies. +3. **Use Step Security**: Implement Step Security’s GitHub Action runner hardening. + +## Decision Drivers + +- **Security**: We need to enhance the security of our GitHub Actions runners to protect against unauthorized access and +- vulnerabilities. +- **Simplicity**: We prefer a solution that is easy to implement and maintain without extensive custom development. +- **Compliance**: We need to meet specific security compliance requirements. +- **Cost**: We aim for a cost-effective solution. + +## Decision Outcome + +We have chosen to use Step Security’s GitHub Action runner hardening. This decision is based on the following reasons: + +- **Enhanced Security**: Step Security provides a comprehensive set of security features that address our needs for +- environment isolation, least privilege, network restrictions, and more. +- **Ease of Use**: The solution integrates seamlessly with our existing GitHub Actions workflows with minimal +- configuration effort. +- **Compliance and Auditability**: Step Security provides detailed audit logs and helps ensure compliance with +- security standards. +- **Cost-Effective**: Using a third-party solution saves us time and resources compared to developing and maintaining +- custom security scripts. + +## Consequences + +### Positive + +- Improved Security: Our CI/CD pipelines will have enhanced protection against security threats. +- Simplified Compliance: Easier to meet security compliance requirements. +- Reduced Development Effort: Leveraging a third-party solution saves time and resources. + +### Negative + +- Dependency on Third-Party: We will rely on Step Security for updates and maintenance of the security features. + +## Review + +This decision will be reviewed periodically to ensure it continues to meet our security and operational needs.