-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support wildcard domains #236
Comments
Hi @jauderho, can you please share a link to a workflow where you observed this? Thanks! |
Interesting, harden-runner does not actually capture the subdomain in the harden-runner output: https://app.stepsecurity.io/github/jauderho/dockerfiles/actions/runs/3965278228 But this can be see in the GHA output: https://github.com/jauderho/dockerfiles/actions/runs/3965278228/jobs/6794861825#step:20:51 This is for a successful run where mcr.microsoft.com resolves to eastus.mcr.microsoft.com |
This is for an unsuccessful run. I just enabled telemetry and set to block.
As you can see from the harden-runner output, only mcr.microsoft.com shows up in the recommended policy for allowed-endpoints but not eastus.data.mcr.microsoft.com. |
seeing the same issue after changing egress policy to https://github.com/Azure/eraser/actions/runs/4028112467/jobs/6924673782#step:10:31 |
@varunsh-coder, I found that The structure of content-delivery endpoints is On executing the below command you will notice; a call to curl https://mcr.microsoft.com/v2/dotnet/aspnet/blobs/sha256:ac9a37082c6dec16dd5bd45d54a08f2e479d37222f2732f5b464e9dd5d454f0a Ref: |
I have updated the title to a more generic feature - Support wildcard domains. |
@h0x0er is working on implementing this feature. We plan to release it in two week. I will share |
This feature is now available on the |
This has been released in v2.4.0 |
Microsoft publishes container images on
mcr.microsoft.com
for example.mcr.microsoft.com/dotnet/sdk:7.0
However, when building a Docker image using Github Actions, it appears that
mcr.micrsoft.com
resolves to multiple regions across different runs.Observed:
So instead of having to slowly track and whitelist individual regions, I'm hoping that you can just allowlist *.mcr.microsoft.com
The text was updated successfully, but these errors were encountered: