Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not work with some container images #124

Closed
Tracked by #125
wallies opened this issue Apr 19, 2022 · 3 comments
Closed
Tracked by #125

Does not work with some container images #124

wallies opened this issue Apr 19, 2022 · 3 comments

Comments

@wallies
Copy link

wallies commented Apr 19, 2022 

  semgrep:
    permissions:
      contents: read # for actions/checkout to fetch code
    name: semgrep-scan
    runs-on: ubuntu-20.04
    container:
      image: returntocorp/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@9b0655f430fba8c7001d4e38f8d4306db5c6e0ab
      with:
        egress-policy: audit

    - uses: actions/checkout@3df53dd32d858478710a6127bcd8b9d8b7182e16
    - run: semgrep ci || true

This fails with the below error

/bin/sh: sudo: not found
Error: Command failed: sudo mkdir -p /home/agent
/bin/sh: sudo: not found
@varunsh-coder
Copy link
Member

Hi @wallies harden-runner does not work when run inside a container. It needs to be run on the ubuntu VM as it needs sudo access. So this line container: image: returntocorp/semgrep is causing the error. At the same time, it should not cause workflow to fail. I will solve that part, so it can detect it is in a container, and do a no op and write a warning message.

In this case is it possible for you to not use the container to run, but instead install semgrep using an Action?

This was referenced Apr 22, 2022
Open
Merged
@varunsh-coder
Copy link
Member

@wallies the latest release

  • does not fail the workflow if harden-runner is run in a container
  • shows a message that the job will not be monitored (example)
  • adds a limitations section to readme file to talk about this limitation

I have also linked to an issue in secure-workflows so app.stepsecurity.io does not add harden-runner if job is running in a container.

Please let me know if I can go ahead and close this issue?

@wallies
Copy link
Author

wallies commented Apr 23, 2022

Thanks @varunsh-coder. Works perfectly

@wallies wallies closed this as completed Apr 23, 2022
@Zeitsperre Zeitsperre mentioned this issue Feb 19, 2024
Merged
5 tasks
Zeitsperre added a commit to Ouranosinc/xclim that referenced this issue Feb 19, 2024
@Zeitsperre
harden runner does not work on container images (#1655)
545ac67 
### What kind of change does this PR introduce?

* Removes the Harden Runner step in `finish` as it does not work with
container images

### Does this PR introduce a breaking change?

No.

### Other information:

step-security/harden-runner#124
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wallies @varunsh-coder