Skip to content

Commit

Permalink
Release v2.4.0 (#292)
Browse files Browse the repository at this point in the history
  • Loading branch information
varunsh-coder authored May 4, 2023
1 parent 6dacdfc commit 128a634
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 14 deletions.
17 changes: 9 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@

---

Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to
🔒 Harden-Runner GitHub Action installs a security agent on the GitHub-hosted runner (Ubuntu VM) to

1. Prevent exfiltration of credentials
2. Detect tampering of source code during build
3. Detect compromised dependencies and build tools
1. Prevent exfiltration of credentials 🔑
2. Detect tampering of source code during build 🕵️
3. Detect compromised dependencies and build tools 🚨


<p align="center">
Expand Down Expand Up @@ -77,19 +77,20 @@ For details, check out the documentation at https://docs.stepsecurity.io
<img src="images/main-screenshot1.png" alt="Policy recommended by harden-runner">
</p>
### Restrict egress traffic to allowed endpoints
### 🚦 Restrict egress traffic to allowed endpoints
Once allowed endpoints are set in the policy in the workflow file, or in the [Policy Store](https://docs.stepsecurity.io/harden-runner/how-tos/block-egress-traffic#2-add-the-policy-using-the-policy-store)
- Harden-Runner blocks egress traffic at the DNS (Layer 7) and network layers (Layers 3 and 4).
- It blocks DNS exfiltration, where attacker tries to send data out using DNS resolution
- Blocks outbound traffic using IP tables
- Wildcard domains are supported, e.g. you can add `*.data.mcr.microsoft.com:443` to the allowed list, and egress traffic will be allowed to `eastus.data.mcr.microsoft.com:443` and `westus.data.mcr.microsoft.com:443`.

<p align="left">
<img src="images/block-outbound-call.png" alt="Policy recommended by harden-runner" >
</p>

### Detect tampering of source code during build
### 🕵️ Detect tampering of source code during build

Harden-Runner monitors file writes and can detect if a file is overwritten.

Expand All @@ -101,7 +102,7 @@ Harden-Runner monitors file writes and can detect if a file is overwritten.
<img src="images/fileoverwrite.png" alt="Policy recommended by harden-runner" >
</p>

### Run your job without sudo access
### 🚫 Run your job without sudo access

GitHub-hosted runner uses passwordless sudo for running jobs.

Expand All @@ -110,7 +111,7 @@ GitHub-hosted runner uses passwordless sudo for running jobs.
recommendation to disable sudo in the insights page
- When you set `disable-sudo` to `true`, the job steps run without sudo access to the Ubuntu VM

### Get security alerts
### 🔔 Get security alerts

Install the [Harden Runner App](https://github.com/marketplace/harden-runner-app) to get security alerts.

Expand Down
4 changes: 2 additions & 2 deletions dist/pre/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/pre/index.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "step-security-harden-runner",
"version": "2.3.1",
"version": "2.4.0",
"description": "Security agent for GitHub-hosted runner to monitor the build process",
"main": "index.js",
"scripts": {
Expand Down
2 changes: 1 addition & 1 deletion src/checksum.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ export function verifyChecksum(downloadPath: string) {
.digest("hex"); // checksum of downloaded file

const expectedChecksum: string =
"10fd5587cfeba6aac4125be78ee32f60d5e780de10929f454525670c4c16935d"; // checksum for v0.12.2
"a1e79e4d7323a63a845c446b9a964a772b0ab7dff9fc94f8a1d10e901f2acde1"; // checksum for v0.13.2

if (checksum !== expectedChecksum) {
core.setFailed(
Expand Down
2 changes: 1 addition & 1 deletion src/setup.ts
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ import * as utils from '@actions/cache/lib/internal/cacheUtils'
let auth = `token ${token}`;

const downloadPath: string = await tc.downloadTool(
"https://github.com/step-security/agent/releases/download/v0.12.2/agent_0.12.2_linux_amd64.tar.gz",
"https://github.com/step-security/agent/releases/download/v0.13.2/agent_0.13.2_linux_amd64.tar.gz",
undefined,
auth
);
Expand Down

0 comments on commit 128a634

Please sign in to comment.