Harden GitHub Actions Workflow - hosted-network-filtering-hr.yml

.github/workflows/anomalous-outbound-calls.yaml

@@ -1,6 +1,10 @@
 name: Anomalous Outbound Calls
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   unexpected-outbound-calls:
     name: AnomalousOutboundCalls

.github/workflows/arc-codecov-simulation.yml

@@ -2,6 +2,9 @@ name: "ARC: Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: self-hosted

.github/workflows/arc-secure-by-default.yml

@@ -1,6 +1,9 @@
 name: "ARC: Secure-By-Default Cluster-Level Policy"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   direct-ip-hosted:

.github/workflows/arc-solarwinds-simulation.yml

@@ -2,6 +2,9 @@ name: "ARC: File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   arc-solarwinds-simulation:
     runs-on: self-hosted

.github/workflows/arc-zero-effort-observability.yml

@@ -2,6 +2,9 @@ name: "ARC: Zero-effort Observability"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: self-hosted

.github/workflows/baseline_checks.yml

@@ -3,6 +3,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/block-dns-exfiltration.yaml

@@ -1,6 +1,10 @@
 name: Block DNS Exfiltration With Harden-Runner
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Deploy

.github/workflows/changed-files-vulnerability-with-hr.yml

@@ -8,6 +8,7 @@ on:
 
 permissions:
   pull-requests: read
+  contents: read
 
 jobs:
   changed_files:

.github/workflows/changed-files-vulnerability-without-hr.yml

@@ -8,6 +8,7 @@ on:
 
 permissions:
   pull-requests: read
+  contents: read
 
 jobs:
   changed_files:

.github/workflows/hosted-file-monitor-with-hr.yml

@@ -2,6 +2,9 @@ name: "Hosted: File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/hosted-file-monitor-without-hr.yml

@@ -2,6 +2,9 @@ name: "Hosted: File Monitoring without Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/hosted-https-monitoring-hr.yml

@@ -2,6 +2,9 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/hosted-network-filtering-hr.yml

@@ -2,6 +2,9 @@ name: "Hosted: Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/hosted-network-monitoring-hr.yml

@@ -1,6 +1,9 @@
 name: "Hosted: Network Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/hosted-network-without-hr.yml

@@ -1,6 +1,9 @@
 name: "Hosted: Network Monitoring without Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/publish.yml

@@ -2,6 +2,9 @@ name: Puzzle
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/self-hosted-file-monitor-with-hr.yml

@@ -2,6 +2,9 @@ name: "Self-Hosted (VM): File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: [self-hosted, ec2]

.github/workflows/self-hosted-network-filtering-hr.yml

@@ -1,6 +1,9 @@
 name: "Self-Hosted (VM): Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/self-hosted-network-monitoring-hr.yml

@@ -1,6 +1,9 @@
 name: "Self-Hosted (VM): Network Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

.github/workflows/unexpected-outbound-calls.yml

@@ -1,6 +1,10 @@
 name: Unexpected Outbound Calls
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   unexpected-outbound-calls:
     name: UnexpectedOutboundCalls

docs/Solutions/FixGITHUB_TOKENPermissions.md

@@ -19,3 +19,39 @@ In this tutorial you will update the token permissions for workflows in this rep
 6. Merge the pull request. Check the permissions for the jobs in the "Set up job" section of the workflow run log. You will notice that the permissions are set to the minimum needed.
 
 > https://app.stepsecurity.io/securerepo has been used by over 500 public repositories to apply GitHub Actions Security best practices. You can browse pull requests for the Top 50 repositories at https://app.stepsecurity.io/securerepo/trending
+
+## Using Fine-Grained Permissions for GitHub Tokens
+
+To enhance security, it is important to use fine-grained permissions for GitHub tokens. This follows the principle of least privilege, ensuring that each job only has access to what it absolutely needs.
+
+### Example
+
+In the `.github/workflows/hosted-network-filtering-hr.yml` file, you can add `permissions: contents: read` to limit access:
+
+```yaml
+name: "Hosted: Network Filtering with Harden-Runner"
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            www.githubstatus.com:443
+      - uses: crazy-max/ghaction-github-status@v4
+      - uses: actions/checkout@v3
+      - run: |
+          curl https://exfiltrationdemo.blob.core.windows.net/
+```
+
+By setting the minimum required permissions for the GitHub token in your workflows, you can significantly reduce the risk of accidental or malicious misuse.