Skip to content

Harden GitHub Actions Workflow - wf6.yml #92

New issue
New issue
Open
Open
Harden GitHub Actions Workflow - wf6.yml#92
Labels
High Severity
@test-int-123

Description

@test-int-123
test-int-123
bot
opened on Jan 15, 2025

GitHub Hosted Runner Should Be Hardened

Summary

The GitHub-hosted runner used in your workflow file (.github/workflows/wf6.yml) is not sufficiently hardened against potential security threats.
Hardening the runner enhances security by mitigating risks such as unauthorized network egress, credential exfiltration, and source code tampering.

Why This is Important

Using an unhardened GitHub-hosted runner in workflows can expose your CI/CD environment to significant security risks.
Compromised workflows, dependencies, or build tools can lead to exfiltration of credentials and source code ie Attackers may exploit network access to steal sensitive data and tampering with source code or build artifacts ie malicious actors can inject vulnerabilities or backdoors during the build process.

Evidence of Excessive Permissions

For more context, please refer to the build log from your recent workflow run, The logs highlight the absence of network egress filtering and runtime security measures, indicating that the runner is not adequately protected against threats like credential exfiltration or build tampering.

Suggested Fix

Below is the updated code, which hardens the GitHub-hosted runner using Harden-Runner.
Update your workflow file with this suggested configuration to resolve this issue:

  name: Test GitHubToken Excessive Permissions
  on:
    push:
      branches:
        - main
+ permissions:
+   contents: read
  jobs:
    test-permissions:
      runs-on: ubuntu-latest
      permissions:
        contents: write
        issues: write
        pull-requests: write
        actions: write
        checks: write
        deployments: write
        statuses: write
        packages: write
        repository-projects: write
        discussions: write
        security-events: write
      steps:
        - name: 
+ Harden Runner
+         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
+         with:
+           egress-policy: audit
+       - name: 
  Checkout code
          uses: actions/checkout@
- v
+ f43a0e5ff2bd2940956
  3
+ 8e18286ca9a3d1956744
        - name: Dummy Step
          run: echo "This is to test excessive token permissions"

Next Steps

Please review and update the workflow file to integrate runner hardening with tools like Harden-Runner.

If you'd like us to create a pull request with the suggested changes for you, comment /secure-workflow on this issue, and we will handle the rest.

For further guidance, refer to the Harden-Runner documentation.

Severity: High

Metadata

Metadata

Assignees

No one assigned

    Labels

    High Severity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions