Description
I just watched this interesting video from the folk who make the harden-runner action we use:
https://www.youtube.com/watch?v=Yz72qAOrN9s
We're currently using harden-runner in audit mode, but I've had it enabled long enough that it should be possible to take their recommended policy and put it into action. For example, here's what they recommend for our test runners. You can see the fairly significant number of network addresses we contact in a normal test run!
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
access.redhat.com:443
archives.fedoraproject.org:443
azure.archive.ubuntu.com:80
curl.se:443
epss.cyentia.com:443
esm.ubuntu.com:443
files.pythonhosted.org:443
ftp.fr.debian.org:80
github.com:443
gitlab.com:443
mirror.cveb.in:443
mirror.cveb.in:80
motd.ubuntu.com:443
nvd.nist.gov:443
osv-vulnerabilities.storage.googleapis.com:443
packages.microsoft.com:443
ppa.launchpadcontent.net:443
pypi.org:443
raw.githubusercontent.com:443
release-monitoring.org:443
rpmfind.net:443
security-tracker.debian.org:443
services.nvd.nist.gov:443
storage.googleapis.com:443
www.cisa.gov:443
www.sqlite.org:443Link to the full set of info for that run: https://app.stepsecurity.io/github/intel/cve-bin-tool/actions/runs/8971218459?jobid=24636478919&tab=recommendations (not sure if I'm the only one who can see this or if anyone can?)
Link to repo with the README file explaining stuff: https://github.com/step-security/harden-runner
We need to go through their recommendations for the various workflows and probably just make pull requests for each, then monitor to see if they cause any issues. The one above is probably the most complicated of the lot since it's a full test run but I haven't actually looked at them all yet myself.
Incidentally, our mirror is not showing up on the list above, which means we don't have any tests directly for it, and we should change that, so I'll file a separate issue for that.