Closed irongut closed 2 years ago
Step | Domain |
---|---|
Checkout (actions/checkout) | github.com:443 |
Setup .NET (actions/setup-dotnet) | dotnetbuilds.azureedge.net:443 |
Setup .NET (actions/setup-dotnet) | dotnetcli.azureedge.net:443 |
Setup .NET (actions/setup-dotnet) | dotnetcli.blob.core.windows.net:443 |
Restore Dependencies | api.nuget.org:443 |
Test EDlib | httpbin.org:443 |
Add PR Comment (marocchino/sticky-pull-request-comment) | api.github.com:443 |
Upload Artifact (actions/upload-artifact) | pipelines.actions.githubusercontent.com:443 |
EDlib Demo | api.taranissoftware.com:443 |
EDlib Demo | www.edsm.net:443 |
EDlib Demo | inara.cz:443 |
Post Complete (provisioner) | gheus23u20scusc21diag.blob.core.windows.net:443 |
The outbound call during the Post Complete (provisioner) step only happens on some runs and does not appear in the Recommended Policy.
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.nuget.org:443
api.taranissoftware.com:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
httpbin.org:443
inara.cz:443
pipelines.actions.githubusercontent.com:443
www.edsm.net:443
Step | Domain |
---|---|
Checkout (actions/checkout) | github.com:443 |
Initialize CodeQL (github/codeql-action/init) | api.github.com:443 |
Setup .NET (actions/setup-dotnet) | dotnetbuilds.azureedge.net:443 |
Setup .NET (actions/setup-dotnet) | dotnetcli.azureedge.net:443 |
Setup .NET (actions/setup-dotnet) | dotnetcli.blob.core.windows.net:443 |
Restore Dependencies | api.nuget.org:443 |
Restore Dependencies | dc.services.visualstudio.com:443 |
Build EDlib | api.nuget.org:443 |
Build EDlib | dc.services.visualstudio.com:443 |
Perform CodeQL Analysis (github/codeql-action/analyze) | api.github.com:443 |
Perform CodeQL Analysis (github/codeql-action/analyze) | uploads.github.com:443 |
Post Complete (Runner.Worker) | pipelines.actions.githubusercontent.com:443 |
Post Complete (provisioner) | gheus23u20scusc21diag.blob.core.windows.net:443 |
The outbound call during Post Complete job (provisioner) only happens on some runs on the Action and does neither Post Complete calls appears in the Recommended Policy.
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.nuget.org:443
dc.services.visualstudio.com:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
uploads.github.com:443
After disabling telemetry the harden Runner step should be:
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.nuget.org:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
uploads.github.com:443
Step | Domain |
---|---|
Assign Issues + PRs (srggrs/assign-one-project-github-action) | api.github.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
Step | Domain |
---|---|
Assign PR (samspills/assign-pr-to-author) | api.github.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
Step | Domain |
---|---|
Stale(actions/stale) | api.github.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
Step | Domain |
---|---|
Stale(actions/labeler) | api.github.com:443 |
Post Complete (Runner.Worker) | pipelines.actions.githubusercontent.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
Step | Domain |
---|---|
Checkout (actions/checkout) | github.com:443 |
Deploy to GitHub Pages (peaceiris/actions-gh-pages) | github.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
github.com:443
Note: Only 1 example of running this workflow available.
There is no example of this workflow but maybe we can predict some of the calls made using other build workflows.
Step | Domain |
---|---|
Checkout (actions/checkout) | github.com:443 |
Setup .NET (actions/setup-dotnet) | dotnetbuilds.azureedge.net:443 |
Setup .NET (actions/setup-dotnet) | dotnetcli.azureedge.net:443 |
Setup .NET (actions/setup-dotnet) | dotnetcli.blob.core.windows.net:443 |
Restore Dependencies | api.nuget.org:443 |
Build EDlib | api.nuget.org:443 |
Test EDlib | httpbin.org:443 |
Upload Artifact (actions/upload-artifact) | pipelines.actions.githubusercontent.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.nuget.org:443
dotnetbuilds.azureedge.net:443
dotnetcli.azureedge.net:443
dotnetcli.blob.core.windows.net:443
github.com:443
httpbin.org:443
pipelines.actions.githubusercontent.com:443
Step | Domain |
---|---|
Download Artifacts (actions/download-artifact) | pipelines.actions.githubusercontent.com:443 |
Setup Nuget (NuGet/setup-nuget) | dist.nuget.org:443 |
Push to GitHub Packages | nuget.pkg.github.com:443 |
Add Report to Release (irongut/EditRelease) | api.github.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
api.github.com:443
dist.nuget.org:443
nuget.pkg.github.com:443
pipelines.actions.githubusercontent.com:443
Step | Domain |
---|---|
Checkout (actions/checkout) | github.com:443 |
Deploy to GitHub Pages (peaceiris/actions-gh-pages) | github.com:443 |
- name: Harden Runner
uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
with:
egress-policy: block
allowed-endpoints: >
github.com:443
Feature Request
Implement StepSecurity Secure Workflows Harden Runner recommendations.
Expected Behaviour
Workflows will be updated following the recommendations.
Additional Context
Actions not currently in the StepSecurity token permission database:
Linked To
156 Implement StepSecurity Secure Workflows (audit)