Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement StepSecurity Secure Workflows (policy) #51

Closed
irongut opened this issue Jul 24, 2022 · 4 comments · Fixed by #62
Closed

Implement StepSecurity Secure Workflows (policy) #51

irongut opened this issue Jul 24, 2022 · 4 comments · Fixed by #62
Assignees
Labels
DevOps enhancement New feature or request
Milestone

Comments

@irongut
Copy link
Owner

irongut commented Jul 24, 2022

Feature Request

Implement StepSecurity Secure Workflows Harden Runner recommendations.

Expected Behaviour

Workflows will be updated following the recommendations.

Additional Context

Actions not currently in the StepSecurity token permission database:

  • samspills/assign-pr-to-author

Linked To

#41 GITHUB_TOKEN permissions used by this action
#49 Implement StepSecurity Secure Workflows (audit)

@irongut irongut added enhancement New feature or request DevOps labels Jul 24, 2022
@irongut irongut self-assigned this Jul 24, 2022
@irongut irongut modified the milestones: vNext+1, vNext Jul 24, 2022
@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022

PM Workflows

  • Assign to Project
  • Assign PR
  • Mark Stale
  • PR labeller
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443

@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022

CodeQL Scan

Step Domain
Checkout (actions/checkout) github.com:443
Initialize CodeQL (github/codeql-action/init) api.github.com:443
Setup .NET (actions/setup-dotnet) dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.blob.core.windows.net:443
Restore Dependencies api.nuget.org:443
Build api.nuget.org:443
Perform CodeQL Analysis (github/codeql-action/analyze) api.github.com:443
Perform CodeQL Analysis (github/codeql-action/analyze) uploads.github.com:443
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443
      uploads.github.com:443

@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022

CI Build

Step Domain
Checkout (actions/checkout) github.com:443
Setup .NET (actions/setup-dotnet) dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.blob.core.windows.net:443
Restore Dependencies api.nuget.org:443
Build api.nuget.org:443
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443

@irongut
Copy link
Owner Author

irongut commented Aug 5, 2022

Build & Deploy

Based on irongut/EditRelease#22

Build

Step Domain
Checkout (actions/checkout) github.com:443
Setup .NET (actions/setup-dotnet) dotnetbuilds.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.azureedge.net:443
Setup .NET (actions/setup-dotnet) dotnetcli.blob.core.windows.net:443
Restore Dependencies api.nuget.org:443
Build api.nuget.org:443
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.nuget.org:443
      dotnetbuilds.azureedge.net:443
      dotnetcli.azureedge.net:443
      dotnetcli.blob.core.windows.net:443
      github.com:443

Deploy

Step Domain
Checkout (actions/checkout) github.com:443
Install Cosign (sigstore/cosign-installer) storage.googleapis.com:443
Setup Docker Buildx (docker/setup-buildx-action) auth.docker.io:443
Setup Docker Buildx (docker/setup-buildx-action) registry-1.docker.io:443
Login to GitHub Container Registry (docker/login-action) ghcr.io:443
Extract Docker metadata (docker/metadata-action) api.github.com:443
Build + Push Docker image (docker/build-push-action) mcr.microsoft.com:443
Build + Push Docker image (docker/build-push-action) api.nuget.org:443
Build + Push Docker image (docker/build-push-action) ghcr.io:443
Sign the Docker image pipelines.actions.githubusercontent.com:443
Sign the Docker image fulcio.sigstore.dev:443
Sign the Docker image storage.googleapis.com:443
Sign the Docker image ghcr.io:443
Sign the Docker image pkg-containers.githubusercontent.com:443
- name: Harden Runner
  uses: step-security/harden-runner@74b568e8591fbb3115c70f3436a0c6b0909a8504
  with:
    egress-policy: block
    allowed-endpoints: >
      api.github.com:443
      api.nuget.org:443
      auth.docker.io:443
      fulcio.sigstore.dev:443
      ghcr.io:443
      github.com:443
      mcr.microsoft.com:443
      pipelines.actions.githubusercontent.com:443
      pkg-containers.githubusercontent.com:443
      registry-1.docker.io:443
      storage.googleapis.com:443

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
DevOps enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant