Adopt StepSecurity Harden Runner for GitHub Actions - Githubissues

loopbackio / security

[WORK IN PROGRESS] A centralised repository for all security-related matters on the LoopBack Project.

MIT License

4 stars 1 forks source link

Adopt StepSecurity Harden Runner for GitHub Actions #26

Open achrinza opened 2 years ago

achrinza commented 2 years ago

The StepSecurity Harden Runner GitHub Action contains a Go-based client which would audit and, if configured, restrict the following:

Of Interest:
- Source code overwriting
- Network activity
Others (not as relevant):
- GitHub Action workflow permission
- GitHub Action pinning

Limitations:

Ubuntu OS only
GitHub Actions only (No Travis CI or AppVeyor)
Does not work with container-based actions (Requires sudo privileges)

Although StepSecurity's Online Tool is referenced by the OpenSSF Scorecard Guide, the "Harden Runner" GitHub Action is not actually referenced or recommended. However, "Harden Runner" is used within the OpenSSF Scorecard GitHub Repository itself.

StepSecurity Harden Runner GitHub Repository: https://github.com/step-security/harden-runner

Loosely-related to https://github.com/loopbackio/security/issues/25 (Part of OpenSSF Scorecard check).

GitHub repositories

[x] loopback/cicd (PR)