Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github: Add rule type that verifies that harden runner is the first step #141

Closed
wants to merge 1 commit into from
Closed

Github: Add rule type that verifies that harden runner is the first step #141

wants to merge 1 commit into from

Conversation

JAORMX
Copy link
Contributor

@JAORMX JAORMX commented Aug 22, 2024

this adds a rule that verifies that the harden-runner action is part
of the first step of each workflow.

To test, you may call it as part of a profile that looks as follows:

---
version: v1
type: profile
name: harden-runner
context:
  provider: github
repository:
  - type: step_security_harden_runner_enabled
    def: {}

Signed-off-by: Juan Antonio Osorio [email protected]

jhrozek
jhrozek reviewed Aug 22, 2024
View reviewed changes
rule-types/github/step_security_harden_runner_enabled.yaml Outdated
```

For more information, see
https://github.com/marketplace/actions/aqua-security-trivy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we point to trivy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops!!

@jhrozek
Copy link
Contributor

jhrozek commented Aug 22, 2024

The rule looks good, do you want to submit the placeholders for tests to get a green CI run?

@jhrozek jhrozek closed this Aug 22, 2024
@jhrozek
Copy link
Contributor

jhrozek commented Aug 22, 2024

Crap, I clicked the wrong button and closed the PR by accident. Sorry!

@jhrozek jhrozek reopened this Aug 22, 2024
@JAORMX
Github: Add rule type that verifies that harden runner is the first step
6bc7bfe 
this adds a rule that verifies that the `harden-runner` action is part
of the first step of each workflow.

To test, you may call it as part of a profile that looks as follows:

```yaml
---
version: v1
type: profile
name: harden-runner
context:
  provider: github
repository:
  - type: step_security_harden_runner_enabled
    def: {}
```

Signed-off-by: Juan Antonio Osorio <[email protected]>
@JAORMX
Copy link
Contributor Author

JAORMX commented Aug 22, 2024

The rule looks good, do you want to submit the placeholders for tests to get a green CI run?

@jhrozek I can do that. However, I don't think we should block on that. External contributors wouldn't be able to add new rule types.

@jhrozek
Copy link
Contributor

jhrozek commented Aug 22, 2024

The rule looks good, do you want to submit the placeholders for tests to get a green CI run?

@jhrozek I can do that. However, I don't think we should block on that. External contributors wouldn't be able to add new rule types.

We don't have to block on that but should at least silence the warning by either writing a test or putting the placeholders in the test repo or else all subsequent PRs to this repo would fail this check.

@evankanderson
Copy link
Member

So, two issues that are a gap from where we are today:

No remediations

This rule fires an alert, but despite the description of the remediation being pretty simple, we have no way to actually perform the remediation, because it involves:

  1. Altering existing files, and we can only rewrite with mostly-fixed contents
  2. We need to patch multiple arbitrary files, and we can only target a fixed number of fixed-name files.

Incomplete checks and remediation

This only does step 1 of the instructions.

  1. Add the step-security/harden-runner GitHub Action to your GitHub Actions workflow file as the first step in each job. You can automate adding Harden-Runner Action to your workflow file by pasting your workflow in the StepSecurity online tool.
  2. In the workflow logs and the job markdown summary, you will see a link to security insights and recommendations.
  3. Click on the link (example link). You will see a process monitor view of network and file events correlated with each step of the job.
  4. In the Recommended Policy tab, you'll find a recommended block policy based on outbound calls aggregated from the current and past runs of the job. You can update your workflow file with this policy, or alternatively, use the Policy Store to apply the policy without modifying the workflow file. From now on, any outbound calls not in the allowed list will be blocked.

I'm not sure how we'd do steps 3 & 4 to fill out the actual policy, assuming that Step Security provided an API for reading these recommendations. We'd run into both the problems from "no remediations" as well as not having a way to fetch the output.

@JAORMX JAORMX marked this pull request as draft August 27, 2024 13:03
@JAORMX JAORMX closed this Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhrozek jhrozek jhrozek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JAORMX @jhrozek @evankanderson