Skip to content

Commit

Permalink
[StepSecurity] ci: Harden GitHub Actions (#169)
Browse files Browse the repository at this point in the history 
## Summary

This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo) at the request of
@DefinetlyNotAI. Please merge the Pull Request to incorporate the
requested changes. Please tag @DefinetlyNotAI on your message if you
have any questions related to the PR.
## Security Fixes

### Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security
risk. GitHub's Security Hardening guide recommends pinning actions to
full length commit.

- [GitHub Security
Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)
### Harden Runner

[Harden-Runner](https://github.com/step-security/harden-runner) is an
open-source security agent for the GitHub-hosted runner to prevent
software supply chain attacks. It prevents exfiltration of credentials,
detects tampering of source code during build, and enables running jobs
without `sudo` access.

<details>
<summary>Harden runner usage</summary>

You can find link to view insights and policy recommendation in the
build log

<img
src="https://github.com/step-security/harden-runner/blob/main/images/buildlog1.png?raw=true"
width="60%" height="60%">

Please refer to
[documentation](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security)
to find more details.
</details>



## Feedback
For bug reports, feature requests, and general feedback; please email
[email protected]. To create such PRs, please visit
https://app.stepsecurity.io/securerepo.


Signed-off-by: StepSecurity Bot <[email protected]>

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Added a "Harden Runner" step to enhance security in multiple
workflows.
  
- **Updates**
- Updated action versions for building and running fuzzers to specific
commit hashes for improved stability across workflows.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
  • Loading branch information
@DefinetlyNotAI
DefinetlyNotAI authored Dec 18, 2024
2 parents fdcc634 + 5001931 commit 3e9287e
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 5 deletions.
9 changes: 7 additions & 2 deletions .github/workflows/cflite_batch.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,20 @@ jobs:
# - undefined
# - memory
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Build Fuzzers (${{ matrix.sanitizer }})
id: build
uses: google/clusterfuzzlite/actions/build_fuzzers@v1
uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
language: python # Change this to the language you are fuzzing.
sanitizer: ${{ matrix.sanitizer }}
- name: Run Fuzzers (${{ matrix.sanitizer }})
id: run
uses: google/clusterfuzzlite/actions/run_fuzzers@v1
uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fuzz-seconds: 3600
Expand Down
7 changes: 6 additions & 1 deletion .github/workflows/cflite_build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,14 @@ jobs:
# - undefined
# - memory
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Build Fuzzers (${{ matrix.sanitizer }})
id: build
uses: google/clusterfuzzlite/actions/build_fuzzers@v1
uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
language: python # Change this to the language you are fuzzing.
sanitizer: ${{ matrix.sanitizer }}
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/cflite_cron.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,19 @@ jobs:
Pruning:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit

- name: Build Fuzzers
id: build
uses: google/clusterfuzzlite/actions/build_fuzzers@v1
uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
language: python # Change this to the language you are fuzzing
- name: Run Fuzzers
id: run
uses: google/clusterfuzzlite/actions/run_fuzzers@v1
uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fuzz-seconds: 600
Expand Down

0 comments on commit 3e9287e

Please sign in to comment.