irongut commented 2 years ago

Feature Request

Implement StepSecurity Secure Workflows Harden Runner recommendations.

Expected Behaviour

Workflows will be updated following the recommendations.

Additional Context

Actions not currently in the StepSecurity token permission database:

samspills/assign-pr-to-author

Linked To

156 Implement StepSecurity Secure Workflows (audit)

irongut commented 2 years ago

CI Build

Step	Domain
Checkout (actions/checkout)	github.com:443
Setup .NET (actions/setup-dotnet)	dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet)	dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet)	dotnetcli.blob.core.windows.net:443
Restore Dependencies	api.nuget.org:443
Test EDlib	httpbin.org:443
Add PR Comment (marocchino/sticky-pull-request-comment)	api.github.com:443
Upload Artifact (actions/upload-artifact)	pipelines.actions.githubusercontent.com:443
EDlib Demo	api.taranissoftware.com:443
EDlib Demo	www.edsm.net:443
EDlib Demo	inara.cz:443
Post Complete (provisioner)	gheus23u20scusc21diag.blob.core.windows.net:443

The outbound call during the Post Complete (provisioner) step only happens on some runs and does not appear in the Recommended Policy.

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      api.taranissoftware.com:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443
      httpbin.org:443
      inara.cz:443
      pipelines.actions.githubusercontent.com:443
      www.edsm.net:443

irongut commented 2 years ago

CodeQL Scan

Step	Domain
Checkout (actions/checkout)	github.com:443
Initialize CodeQL (github/codeql-action/init)	api.github.com:443
Setup .NET (actions/setup-dotnet)	dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet)	dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet)	dotnetcli.blob.core.windows.net:443
Restore Dependencies	api.nuget.org:443
Restore Dependencies	dc.services.visualstudio.com:443
Build EDlib	api.nuget.org:443
Build EDlib	dc.services.visualstudio.com:443
Perform CodeQL Analysis (github/codeql-action/analyze)	api.github.com:443
Perform CodeQL Analysis (github/codeql-action/analyze)	uploads.github.com:443
Post Complete (Runner.Worker)	pipelines.actions.githubusercontent.com:443
Post Complete (provisioner)	gheus23u20scusc21diag.blob.core.windows.net:443

The outbound call during Post Complete job (provisioner) only happens on some runs on the Action and does neither Post Complete calls appears in the Recommended Policy.

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      dc.services.visualstudio.com:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443
      uploads.github.com:443

Why do the Restore & Build steps call visualstudio.com in this workflow but not the CI workflow? Telemetry was not disabled.
Why does the Build step call nuget.org when it doesn't in the CI workflow? No idea, no restore is set.

After disabling telemetry the harden Runner step should be:

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443
      uploads.github.com:443

irongut commented 2 years ago

Assign to Project

Step	Domain
Assign Issues + PRs (srggrs/assign-one-project-github-action)	api.github.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443

Auto Assigner

Step	Domain
Assign PR (samspills/assign-pr-to-author)	api.github.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443

Mark Stale

Step	Domain
Stale(actions/stale)	api.github.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443

PR Labeller

Step	Domain
Stale(actions/labeler)	api.github.com:443
Post Complete (Runner.Worker)	pipelines.actions.githubusercontent.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443

irongut commented 2 years ago

Update Docs

Step	Domain
Checkout (actions/checkout)	github.com:443
Deploy to GitHub Pages (peaceiris/actions-gh-pages)	github.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      github.com:443

Note: Only 1 example of running this workflow available.

irongut commented 2 years ago

Build & Deploy

There is no example of this workflow but maybe we can predict some of the calls made using other build workflows.

Build Job

Step	Domain
Checkout (actions/checkout)	github.com:443
Setup .NET (actions/setup-dotnet)	dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet)	dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet)	dotnetcli.blob.core.windows.net:443
Restore Dependencies	api.nuget.org:443
Build EDlib	api.nuget.org:443
Test EDlib	httpbin.org:443
Upload Artifact (actions/upload-artifact)	pipelines.actions.githubusercontent.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443
      httpbin.org:443
      pipelines.actions.githubusercontent.com:443

Deploy Packages

Step	Domain
Download Artifacts (actions/download-artifact)	pipelines.actions.githubusercontent.com:443
Setup Nuget (NuGet/setup-nuget)	dist.nuget.org:443
Push to GitHub Packages	nuget.pkg.github.com:443
Add Report to Release (irongut/EditRelease)	api.github.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      dist.nuget.org:443
      nuget.pkg.github.com:443
      pipelines.actions.githubusercontent.com:443

Docs

Step	Domain
Checkout (actions/checkout)	github.com:443
Deploy to GitHub Pages (peaceiris/actions-gh-pages)	github.com:443

- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      github.com:443

irongut / EDlib

Implement StepSecurity Secure Workflows (policy) #157

Feature Request

Expected Behaviour

Additional Context

Linked To

156 Implement StepSecurity Secure Workflows (audit)

CI Build

CodeQL Scan

Assign to Project

Auto Assigner

Mark Stale

PR Labeller

Update Docs

Build & Deploy

Build Job

Deploy Packages

Docs