Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement StepSecurity Secure Workflows (policy) #51

Closed
irongut opened this issue Jul 24, 2022 · 4 comments · Fixed by #62
Closed

Implement StepSecurity Secure Workflows (policy) #51

irongut opened this issue Jul 24, 2022 · 4 comments · Fixed by #62
Assignees
@irongut
Labels
DevOps enhancement New feature or request
Projects
Enhancements
Milestone
vNext

Comments

@irongut
Copy link
Owner

irongut commented Jul 24, 2022

Feature Request

Implement StepSecurity Secure Workflows Harden Runner recommendations.

Expected Behaviour

Workflows will be updated following the recommendations.

Additional Context

Actions not currently in the StepSecurity token permission database:

  • samspills/assign-pr-to-author

Linked To

#41 GITHUB_TOKEN permissions used by this action
#49 Implement StepSecurity Secure Workflows (audit)
@irongut irongut added enhancement New feature or request DevOps labels Jul 24, 2022
@irongut irongut self-assigned this Jul 24, 2022
@github-actions github-actions bot added this to To do in Enhancements Jul 24, 2022
@irongut irongut mentioned this issue Jul 24, 2022
Closed
@irongut irongut modified the milestones: vNext+1, vNext Jul 24, 2022
@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022
edited

PM Workflows

  • Assign to Project
  • Assign PR
  • Mark Stale
  • PR labeller
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443

@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022

CodeQL Scan

Step Domain
Checkout (actions/checkout) github.com:443
Initialize CodeQL (github/codeql-action/init) api.github.com:443
Setup .NET (actions/setup-dotnet) dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.blob.core.windows.net:443
Restore Dependencies api.nuget.org:443
Build api.nuget.org:443
Perform CodeQL Analysis (github/codeql-action/analyze) api.github.com:443
Perform CodeQL Analysis (github/codeql-action/analyze) uploads.github.com:443 
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443
      uploads.github.com:443

@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022

CI Build

Step Domain
Checkout (actions/checkout) github.com:443
Setup .NET (actions/setup-dotnet) dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.blob.core.windows.net:443
Restore Dependencies api.nuget.org:443
Build api.nuget.org:443 
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443

irongut added a commit that referenced this issue Aug 5, 2022
@irongut
implement stepsecurity policy for pm workflows #51
9702896
irongut added a commit that referenced this issue Aug 5, 2022
@irongut
implement stepsecurity policy for codeql workflow #51
59bf0ee
irongut added a commit that referenced this issue Aug 5, 2022
@irongut
implement stepsecurity policy for ci build workflow #51
3216094
irongut added a commit that referenced this issue Aug 5, 2022
@irongut
implement stepsecurity policy for release workflow #51
74295b4
@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022
edited

Build & Deploy

Based on irongut/EditRelease#22

Build

Step Domain
Checkout (actions/checkout) github.com:443
Setup .NET (actions/setup-dotnet) dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.blob.core.windows.net:443
Restore Dependencies api.nuget.org:443
Build api.nuget.org:443 
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443

Deploy

Step Domain
Checkout (actions/checkout) github.com:443
Install Cosign (sigstore/cosign-installer) storage.googleapis.com:443
Setup Docker Buildx (docker/setup-buildx-action) auth.docker.io:443
Setup Docker Buildx (docker/setup-buildx-action) registry-1.docker.io:443
Login to GitHub Container Registry (docker/login-action) ghcr.io:443
Extract Docker metadata (docker/metadata-action) api.github.com:443
Build + Push Docker image (docker/build-push-action) mcr.microsoft.com:443
Build + Push Docker image (docker/build-push-action) api.nuget.org:443
Build + Push Docker image (docker/build-push-action) ghcr.io:443
Sign the Docker image pipelines.actions.githubusercontent.com:443
Sign the Docker image fulcio.sigstore.dev:443
Sign the Docker image storage.googleapis.com:443
Sign the Docker image ghcr.io:443
Sign the Docker image pkg-containers.githubusercontent.com:443 
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      auth.docker.io:443
      fulcio.sigstore.dev:443
      ghcr.io:443
      github.com:443
      mcr.microsoft.com:443
      pipelines.actions.githubusercontent.com:443
      pkg-containers.githubusercontent.com:443
      registry-1.docker.io:443
      storage.googleapis.com:443

This was referenced Aug 5, 2022
Closed
Merged
Enhancements automation moved this from To do to Awaiting Release Aug 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@irongut irongut

Labels
DevOps enhancement New feature or request
Projects
Enhancements
Awaiting Release
Milestone
vNext
Development

Successfully merging a pull request may close this issue.

PR: Implement StepSecurity Secure Workflows (policy) irongut/CodeCoverageSummary
1 participant
@irongut