diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml index 2e87a976c..52378f31f 100644 --- a/.github/workflows/anomalous-outbound-calls.yaml +++ b/.github/workflows/anomalous-outbound-calls.yaml @@ -1,6 +1,10 @@ name: Anomalous Outbound Calls on: workflow_dispatch: + +permissions: + contents: read + jobs: unexpected-outbound-calls: name: AnomalousOutboundCalls diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml index dd1ab7dc9..d3a0a77b9 100644 --- a/.github/workflows/arc-codecov-simulation.yml +++ b/.github/workflows/arc-codecov-simulation.yml @@ -2,6 +2,9 @@ name: "ARC: Network Filtering with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: self-hosted diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml index 96a7098dc..a5fb83740 100644 --- a/.github/workflows/arc-secure-by-default.yml +++ b/.github/workflows/arc-secure-by-default.yml @@ -1,6 +1,9 @@ name: "ARC: Secure-By-Default Cluster-Level Policy" on: workflow_dispatch: + +permissions: + contents: read jobs: direct-ip-hosted: diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml index 72ce7c177..032e6ca53 100644 --- a/.github/workflows/arc-solarwinds-simulation.yml +++ b/.github/workflows/arc-solarwinds-simulation.yml @@ -2,6 +2,9 @@ name: "ARC: File Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: arc-solarwinds-simulation: runs-on: self-hosted diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml index 5cb8daacc..9d30bdfcd 100644 --- a/.github/workflows/arc-zero-effort-observability.yml +++ b/.github/workflows/arc-zero-effort-observability.yml @@ -2,6 +2,9 @@ name: "ARC: Zero-effort Observability" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: self-hosted diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml index 06fc0bc75..84ef5415c 100644 --- a/.github/workflows/baseline_checks.yml +++ b/.github/workflows/baseline_checks.yml @@ -3,6 +3,9 @@ on: workflow_dispatch: pull_request: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml index 767d5d981..ad4d818f1 100644 --- a/.github/workflows/block-dns-exfiltration.yaml +++ b/.github/workflows/block-dns-exfiltration.yaml @@ -1,6 +1,10 @@ name: Block DNS Exfiltration With Harden-Runner on: workflow_dispatch: + +permissions: + contents: read + jobs: build: name: Deploy diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml index d8ed7379f..1489f7bb8 100644 --- a/.github/workflows/changed-files-vulnerability-with-hr.yml +++ b/.github/workflows/changed-files-vulnerability-with-hr.yml @@ -8,6 +8,7 @@ on: permissions: pull-requests: read + contents: read jobs: changed_files: diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml index 4b74464f1..731ea88e6 100644 --- a/.github/workflows/changed-files-vulnerability-without-hr.yml +++ b/.github/workflows/changed-files-vulnerability-without-hr.yml @@ -8,6 +8,7 @@ on: permissions: pull-requests: read + contents: read jobs: changed_files: diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml index eeb3b63f6..79edea4ff 100644 --- a/.github/workflows/hosted-file-monitor-with-hr.yml +++ b/.github/workflows/hosted-file-monitor-with-hr.yml @@ -2,6 +2,9 @@ name: "Hosted: File Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml index a673fca8c..2a0e14f2f 100644 --- a/.github/workflows/hosted-file-monitor-without-hr.yml +++ b/.github/workflows/hosted-file-monitor-without-hr.yml @@ -2,6 +2,9 @@ name: "Hosted: File Monitoring without Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml index 379884875..03e44dad4 100644 --- a/.github/workflows/hosted-https-monitoring-hr.yml +++ b/.github/workflows/hosted-https-monitoring-hr.yml @@ -2,6 +2,9 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml index 7dd7dcbfa..a7507d535 100644 --- a/.github/workflows/hosted-network-filtering-hr.yml +++ b/.github/workflows/hosted-network-filtering-hr.yml @@ -2,6 +2,9 @@ name: "Hosted: Network Filtering with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml index 0aa554773..8f6875c95 100644 --- a/.github/workflows/hosted-network-monitoring-hr.yml +++ b/.github/workflows/hosted-network-monitoring-hr.yml @@ -1,6 +1,9 @@ name: "Hosted: Network Monitoring with Harden-Runner" on: workflow_dispatch: + +permissions: + contents: read jobs: build: diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml index 3533b8c72..52a03d28f 100644 --- a/.github/workflows/hosted-network-without-hr.yml +++ b/.github/workflows/hosted-network-without-hr.yml @@ -1,6 +1,9 @@ name: "Hosted: Network Monitoring without Harden-Runner" on: workflow_dispatch: + +permissions: + contents: read jobs: build: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f42852631..d7ec95eab 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -2,6 +2,9 @@ name: Puzzle on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml index a53608566..40caadd8b 100644 --- a/.github/workflows/self-hosted-file-monitor-with-hr.yml +++ b/.github/workflows/self-hosted-file-monitor-with-hr.yml @@ -2,6 +2,9 @@ name: "Self-Hosted (VM): File Monitoring with Harden-Runner" on: workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: [self-hosted, ec2] diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml index 815f293ea..b1cc1a8cd 100644 --- a/.github/workflows/self-hosted-network-filtering-hr.yml +++ b/.github/workflows/self-hosted-network-filtering-hr.yml @@ -1,6 +1,9 @@ name: "Self-Hosted (VM): Network Filtering with Harden-Runner" on: workflow_dispatch: + +permissions: + contents: read jobs: build: diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml index 5f0ba2320..a295fef8e 100644 --- a/.github/workflows/self-hosted-network-monitoring-hr.yml +++ b/.github/workflows/self-hosted-network-monitoring-hr.yml @@ -1,6 +1,9 @@ name: "Self-Hosted (VM): Network Monitoring with Harden-Runner" on: workflow_dispatch: + +permissions: + contents: read jobs: build: diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml index f53167970..fff29148b 100644 --- a/.github/workflows/unexpected-outbound-calls.yml +++ b/.github/workflows/unexpected-outbound-calls.yml @@ -1,6 +1,10 @@ name: Unexpected Outbound Calls on: workflow_dispatch: + +permissions: + contents: read + jobs: unexpected-outbound-calls: name: UnexpectedOutboundCalls diff --git a/docs/Solutions/FixGITHUB_TOKENPermissions.md b/docs/Solutions/FixGITHUB_TOKENPermissions.md index 5c42a2861..eaebdafe8 100644 --- a/docs/Solutions/FixGITHUB_TOKENPermissions.md +++ b/docs/Solutions/FixGITHUB_TOKENPermissions.md @@ -19,3 +19,39 @@ In this tutorial you will update the token permissions for workflows in this rep 6. Merge the pull request. Check the permissions for the jobs in the "Set up job" section of the workflow run log. You will notice that the permissions are set to the minimum needed. > https://app.stepsecurity.io/securerepo has been used by over 500 public repositories to apply GitHub Actions Security best practices. You can browse pull requests for the Top 50 repositories at https://app.stepsecurity.io/securerepo/trending + +## Using Fine-Grained Permissions for GitHub Tokens + +To enhance security, it is important to use fine-grained permissions for GitHub tokens. This follows the principle of least privilege, ensuring that each job only has access to what it absolutely needs. + +### Example + +In the `.github/workflows/hosted-network-filtering-hr.yml` file, you can add `permissions: contents: read` to limit access: + +```yaml +name: "Hosted: Network Filtering with Harden-Runner" +on: + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + www.githubstatus.com:443 + - uses: crazy-max/ghaction-github-status@v4 + - uses: actions/checkout@v3 + - run: | + curl https://exfiltrationdemo.blob.core.windows.net/ +``` + +By setting the minimum required permissions for the GitHub token in your workflows, you can significantly reduce the risk of accidental or malicious misuse.