Github: Add rule type that verifies that harden runner is the first step

this adds a rule that verifies that the `harden-runner` action is part of the first step of each workflow. To test, you may call it as part of a profile that looks as follows: ```yaml --- version: v1 type: profile name: harden-runner context: provider: github repository: - type: step_security_harden_runner_enabled def: {} ``` Signed-off-by: Juan Antonio Osorio <[email protected]>
mindersec · Aug 22, 2024 · 6bc7bfe · 6bc7bfe
1 parent 0c8962b
commit 6bc7bfe
Showing 1 changed file with 70 additions and 0 deletions.
diff --git a/rule-types/github/step_security_harden_runner_enabled.yaml b/rule-types/github/step_security_harden_runner_enabled.yaml
@@ -0,0 +1,70 @@
+---
+version: v1
+type: rule-type
+name: step_security_harden_runner_enabled
+severity:
+  value: medium
+context:
+  provider: github
+description: Verifies that Step Security's harden-runner action is enabled
+guidance: |
+  Step Security's harden-runner is not enabled in all pipelines!
+
+  harden-runner detects providers network egress filtering which is critical
+  for malicious pipeline detection in gitHub
+
+  Set it up by adding the following as the first step of each job:
+
+  ```yaml
+    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+  ```
+  
+  For more information, see https://github.com/step-security/harden-runner
+def:
+  # Defines the section of the pipeline the rule will appear in.
+  # This will affect the template used to render multiple parts
+  # of the rule.
+  in_entity: repository
+  # Defines the schema for writing a rule with this rule being checked
+  # In this case there are no settings that need to be configured
+  rule_schema: {}
+  # Defines the configuration for ingesting data relevant for the rule
+  ingest:
+    type: git
+    git:
+      branch: main
+  # Defines the configuration for evaluating data ingested against the given profile
+  eval:
+    type: rego
+    rego:
+      type: deny-by-default
+      def: |
+        package minder
+
+        default allow := false
+
+        allow {
+            # List all workflows
+            workflows := file.ls("./.github/workflows")
+
+            # Read all workflows
+            some w
+            workflowstr := file.read(workflows[w])
+
+            workflow := yaml.unmarshal(workflowstr)
+
+            # Iterate jobs
+            job := workflow.jobs[_]
+
+            # Iterate steps
+            first_step := job.steps[0]
+
+            # Check if the step is harden-runner
+            startswith(first_step.uses, "step-security/harden-runner@")
+        }
+  # Defines the configuration for alerting on the rule
+  alert:
+    type: security_advisory
+    security_advisory: {}