diff --git a/.github/workflows/LargeMatrixWorkflow.yml b/.github/workflows/LargeMatrixWorkflow.yml index cc35b30..e5f01ea 100644 --- a/.github/workflows/LargeMatrixWorkflow.yml +++ b/.github/workflows/LargeMatrixWorkflow.yml @@ -10,6 +10,9 @@ on: pull_request: push: +permissions: + contents: read + jobs: generate-jobs: name: Generate Jobs @@ -19,12 +22,12 @@ jobs: job_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20] steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Sleep for 3 minutes on push if: github.event_name == 'push' diff --git a/.github/workflows/LargeMatrixWorkflow2.yml b/.github/workflows/LargeMatrixWorkflow2.yml index 737193c..b0d28b2 100644 --- a/.github/workflows/LargeMatrixWorkflow2.yml +++ b/.github/workflows/LargeMatrixWorkflow2.yml @@ -9,13 +9,16 @@ on: default: '100' # Default value as a string pull_request: +permissions: + contents: read + jobs: setup-job: name: Setup Job runs-on: ubuntu-24.04-arm steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit @@ -31,12 +34,12 @@ jobs: job_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20] steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Make a curl request run: curl https://google.com diff --git a/.github/workflows/agent-tracer-block.yml b/.github/workflows/agent-tracer-block.yml index 3201733..16e284c 100644 --- a/.github/workflows/agent-tracer-block.yml +++ b/.github/workflows/agent-tracer-block.yml @@ -7,7 +7,12 @@ jobs: if: always() runs-on: ARMLinuxRunner steps: - - uses: h0x0er/harden-runner@int + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int with: egress-policy: block agent-env: int-pull diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml index abdaf56..8990e86 100644 --- a/.github/workflows/basic.yml +++ b/.github/workflows/basic.yml @@ -6,15 +6,18 @@ on: # permissions: # contents: read +permissions: + contents: read + jobs: overwrite: if: always() runs-on: ARMLinuxRunner steps: - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: echo overwrite run: echo "## Overwritten" >> README.md @@ -26,14 +29,14 @@ jobs: if: always() runs-on: ARMLinuxRunner steps: - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block disable-sudo: true allowed-endpoints: | www.google.com:443 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: curl https://www.google.com - run: curl https://microsoft.com @@ -42,7 +45,7 @@ jobs: if: always() runs-on: ARMLinuxRunner steps: - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block disable-sudo: true @@ -50,7 +53,7 @@ jobs: allowed-endpoints: | www.google.com:443 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: curl https://www.google.com - run: curl https://microsoft.com diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml index 29276f6..09a0e7b 100644 --- a/.github/workflows/buildkit.yml +++ b/.github/workflows/buildkit.yml @@ -7,6 +7,9 @@ env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} +permissions: + contents: read + jobs: build-and-push: runs-on: ubuntu-latest @@ -16,20 +19,20 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: buildkitd-flags: --debug - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -37,7 +40,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -50,7 +53,7 @@ jobs: EOF - name: Build and push Docker image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . push: true diff --git a/.github/workflows/config-change-test.yml b/.github/workflows/config-change-test.yml index 9c13614..255c74e 100644 --- a/.github/workflows/config-change-test.yml +++ b/.github/workflows/config-change-test.yml @@ -2,12 +2,15 @@ name: Config change test on: workflow_dispatch: +permissions: + contents: read + jobs: test-host-outbound: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -18,7 +21,7 @@ jobs: - run: cat /etc/systemd/resolved.conf - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from host run: | @@ -35,7 +38,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -51,7 +54,7 @@ jobs: - run: cat /run/systemd/resolve/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from within Docker container continue-on-error: true @@ -87,7 +90,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -103,7 +106,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build Docker image and test outbound calls during build continue-on-error: true @@ -138,10 +141,15 @@ jobs: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run long-running Docker container with outbound calls continue-on-error: true diff --git a/.github/workflows/container-test-job.yml b/.github/workflows/container-test-job.yml index 569de9a..e5bbbe6 100644 --- a/.github/workflows/container-test-job.yml +++ b/.github/workflows/container-test-job.yml @@ -1,6 +1,9 @@ name: CI on: workflow_dispatch: +permissions: + contents: read + jobs: container-test-job: runs-on: ubuntu-latest @@ -10,5 +13,10 @@ jobs: NODE_ENV: development options: --cpus 1 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check dockerenv with sudo run: sudo ls /.dockerenv || echo No dockerenv diff --git a/.github/workflows/cvdupdate.yml b/.github/workflows/cvdupdate.yml index 5a7f1e8..c0dc171 100644 --- a/.github/workflows/cvdupdate.yml +++ b/.github/workflows/cvdupdate.yml @@ -4,6 +4,9 @@ on: workflow_dispatch: +permissions: + contents: read + jobs: build: @@ -12,7 +15,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -25,7 +28,7 @@ jobs: pypi.org:443 registry-1.docker.io:443 - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Build the Docker image run: docker build . --file Dockerfile diff --git a/.github/workflows/dns.yml b/.github/workflows/dns.yml index d3f7f36..2c25d00 100644 --- a/.github/workflows/dns.yml +++ b/.github/workflows/dns.yml @@ -3,17 +3,20 @@ name: DNS Resolution Workflow on: workflow_dispatch: +permissions: + contents: read + jobs: dns-resolution: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Resolve A Record run: | diff --git a/.github/workflows/download.yml b/.github/workflows/download.yml index 3bcc9d3..db447c5 100644 --- a/.github/workflows/download.yml +++ b/.github/workflows/download.yml @@ -11,14 +11,19 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: h0x0er/harden-runner@int + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Harden the runner (Audit all outbound calls) + uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int with: egress-policy: block allowed-endpoints: | github.com:443 - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create artifact file run: | @@ -28,7 +33,7 @@ jobs: - name: Upload artifact id: upload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: my-artifact path: output.txt @@ -39,14 +44,19 @@ jobs: steps: - name: Harden the runner (Audit all outbound calls) - uses: h0x0er/harden-runner@int + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Harden the runner (Audit all outbound calls) + uses: h0x0er/harden-runner@0d80ddb713b0355047ffbd4af2aabdca3cdef5da # int with: egress-policy: block allowed-endpoints: | github.com:443 - name: Download artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: my-artifact diff --git a/.github/workflows/enum.yml b/.github/workflows/enum.yml index c61da72..f5f0f3e 100644 --- a/.github/workflows/enum.yml +++ b/.github/workflows/enum.yml @@ -3,11 +3,19 @@ name: Enum on: workflow_dispatch: +permissions: + contents: read + jobs: enum: if: always() runs-on: ARMLinuxRunner steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: lsm param run: cat /sys/kernel/security/lsm diff --git a/.github/workflows/k3d.yml b/.github/workflows/k3d.yml index 65aa360..730d8e7 100644 --- a/.github/workflows/k3d.yml +++ b/.github/workflows/k3d.yml @@ -3,13 +3,16 @@ name: Set up Local Kubernetes with k3d and containerd on: workflow_dispatch: +permissions: + contents: read + jobs: setup-k8s: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: > @@ -26,7 +29,7 @@ jobs: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Install k3d (lightweight wrapper to run K3s in Docker) - name: Install k3d diff --git a/.github/workflows/k3s.yml b/.github/workflows/k3s.yml index c87e4b4..c77a03e 100644 --- a/.github/workflows/k3s.yml +++ b/.github/workflows/k3s.yml @@ -3,17 +3,20 @@ name: k3s Outbound Connectivity Test on: workflow_dispatch: +permissions: + contents: read + jobs: k3s-test: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: cat /etc/resolv.conf - name: Install k3d shell: bash diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 25f77f2..39e67f7 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -8,12 +8,20 @@ on: types: - labeled +permissions: + contents: read + jobs: label-check-job: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Curl to google.com run: curl -v https://www.google.com diff --git a/.github/workflows/load_tests.yml b/.github/workflows/load_tests.yml index 7d75b37..b0f8503 100644 --- a/.github/workflows/load_tests.yml +++ b/.github/workflows/load_tests.yml @@ -3,12 +3,15 @@ name: Agent Capability Tests on: workflow_dispatch: +permissions: + contents: read + jobs: test-host-outbound: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -19,7 +22,7 @@ jobs: - run: cat /etc/systemd/resolved.conf - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from host run: | @@ -36,7 +39,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block allowed-endpoints: > @@ -52,7 +55,7 @@ jobs: - run: cat /run/systemd/resolve/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from within Docker container continue-on-error: true @@ -88,7 +91,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -104,7 +107,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build Docker image and test outbound calls during build continue-on-error: true @@ -137,7 +140,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block allowed-endpoints: > @@ -153,7 +156,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run long-running Docker container with outbound calls continue-on-error: true diff --git a/.github/workflows/load_tests_arm.yml b/.github/workflows/load_tests_arm.yml index 33cb783..0dfa484 100644 --- a/.github/workflows/load_tests_arm.yml +++ b/.github/workflows/load_tests_arm.yml @@ -3,12 +3,15 @@ name: Agent Capability Tests - ARM on: workflow_dispatch: +permissions: + contents: read + jobs: test-host-outbound: runs-on: ARMLinuxRunner steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -19,7 +22,7 @@ jobs: - run: cat /etc/systemd/resolved.conf - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from host run: | @@ -36,7 +39,7 @@ jobs: runs-on: ARMLinuxRunner steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block allowed-endpoints: > @@ -52,7 +55,7 @@ jobs: - run: cat /run/systemd/resolve/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from within Docker container continue-on-error: true @@ -88,7 +91,7 @@ jobs: runs-on: ARMLinuxRunner steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -104,7 +107,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build Docker image and test outbound calls during build continue-on-error: true @@ -137,7 +140,7 @@ jobs: runs-on: ARMLinuxRunner steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block allowed-endpoints: > @@ -153,7 +156,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run long-running Docker container with outbound calls continue-on-error: true diff --git a/.github/workflows/load_tests_int.yml b/.github/workflows/load_tests_int.yml index b751c34..e2c7771 100644 --- a/.github/workflows/load_tests_int.yml +++ b/.github/workflows/load_tests_int.yml @@ -3,12 +3,15 @@ name: Agent Capability Tests Int on: workflow_dispatch: +permissions: + contents: read + jobs: test-host-outbound: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit allowed-endpoints: > @@ -28,7 +31,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: curl https://registry.npmjs.org/ - name: Run outbound calls from host run: | @@ -45,7 +48,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit allowed-endpoints: > @@ -61,7 +64,7 @@ jobs: - run: cat /run/systemd/resolve/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from within Docker container continue-on-error: true @@ -97,7 +100,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit allowed-endpoints: > @@ -114,7 +117,7 @@ jobs: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build Docker image and test outbound calls during build continue-on-error: true @@ -147,7 +150,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@int-sh + uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit allowed-endpoints: > @@ -164,7 +167,7 @@ jobs: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run long-running Docker container with outbound calls continue-on-error: true diff --git a/.github/workflows/runs-on.yml b/.github/workflows/runs-on.yml index e68cf85..25fa708 100644 --- a/.github/workflows/runs-on.yml +++ b/.github/workflows/runs-on.yml @@ -7,6 +7,9 @@ on: description: 'AMI ID to use for the runners' required: true +permissions: + contents: read + jobs: test-host-outbound: runs-on: @@ -16,7 +19,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -47,7 +50,7 @@ jobs: - run: cat /etc/systemd/resolved.conf - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from host run: | @@ -67,7 +70,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block allowed-endpoints: > @@ -82,7 +85,7 @@ jobs: - run: cat /etc/resolv.conf - run: cat /run/systemd/resolve/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run outbound calls from within Docker container continue-on-error: true @@ -111,7 +114,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit allowed-endpoints: > @@ -126,7 +129,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Build Docker image and test outbound calls during build continue-on-error: true @@ -156,7 +159,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@rc + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: block allowed-endpoints: > @@ -171,7 +174,7 @@ jobs: - run: cat /etc/resolv.conf - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run long-running Docker container with outbound calls continue-on-error: true diff --git a/.github/workflows/tailscale.yml b/.github/workflows/tailscale.yml index 5450e7f..a5c179c 100644 --- a/.github/workflows/tailscale.yml +++ b/.github/workflows/tailscale.yml @@ -9,8 +9,13 @@ jobs: steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Tailscale - uses: tailscale/github-action@v2 + uses: tailscale/github-action@4e4c49acaa9818630ce0bd7a564372c17e33fb4d # v2 with: oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }} oauth-secret: ${{ secrets.TS_OAUTH_SECRET }} @@ -40,4 +45,4 @@ jobs: DNS_SERVERS=$(dig $DOMAIN | grep 'SERVER:' | awk '{print $3}') echo "DNS Server(s) used: $DNS_SERVERS" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 diff --git a/.github/workflows/tls-basic-tests.yml b/.github/workflows/tls-basic-tests.yml index 4316c8e..fd2c810 100644 --- a/.github/workflows/tls-basic-tests.yml +++ b/.github/workflows/tls-basic-tests.yml @@ -6,17 +6,20 @@ on: # permissions: # contents: read +permissions: + contents: read + jobs: dynamic-node: if: always() runs-on: ARMLinuxRunner steps: - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: which node - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "16" @@ -28,7 +31,7 @@ jobs: if: always() runs-on: ARMLinuxRunner steps: - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - run: curl -XPOST https://api.github.com/repos/malicious-owner/malicious-repo diff --git a/.github/workflows/tls-github-api-calls.yml b/.github/workflows/tls-github-api-calls.yml index 1d45d77..22caf31 100644 --- a/.github/workflows/tls-github-api-calls.yml +++ b/.github/workflows/tls-github-api-calls.yml @@ -6,6 +6,9 @@ on: # permissions: # contents: read +permissions: + contents: read + jobs: issue-create: permissions: @@ -16,11 +19,11 @@ jobs: steps: - run: free -m - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - - uses: actions/checkout@v3 - - uses: JasonEtco/create-an-issue@v2 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -34,14 +37,14 @@ jobs: runs-on: ARMLinuxRunner steps: - run: free -m - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: "echo '// changes' >> main.js" - name: Create Pull Request - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # v5.0.3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -55,14 +58,14 @@ jobs: if: always() runs-on: ubuntu-24.04 steps: - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Comment PR - uses: thollander/actions-comment-pull-request@v2 + uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 with: message: | Hello world ! :wave: @@ -76,13 +79,13 @@ jobs: runs-on: ARMLinuxRunner steps: - run: free -m - - uses: step-security/harden-runner@rc + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # rc with: egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Invoke workflow without inputs - uses: benc-uk/workflow-dispatch@v1 + uses: benc-uk/workflow-dispatch@e2e5e9a103e331dad343f381a29e654aea3cf8fc # v1.2.4 with: workflow: enumeration.yml - run: free -m diff --git a/.github/workflows/wildcard.yml b/.github/workflows/wildcard.yml index f6fa412..aa44153 100644 --- a/.github/workflows/wildcard.yml +++ b/.github/workflows/wildcard.yml @@ -2,19 +2,22 @@ name: 2. Exfiltration Simulation on: workflow_dispatch: +permissions: + contents: read + jobs: exfiltration-simulation: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: > *:443 *:80 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: curl https://8.8.8.8