GitHub-Hosted Runners

1. Add the step-security/harden-runner GitHub Action to your GitHub Actions workflow file as the first step in each job. You can automate adding Harden-Runner Action to your workflow file by using StepSecurity Secure Workflow.

steps:
  - uses: step-security/harden-runner@v2 # v2.10.3
    with:
      egress-policy: audit

1. You will see a link to security insights and recommendations in the workflow logs and the job markdown summary.
2. Click on the link (example link). You will see a process monitor view of network and file events correlated with each step of the job.

1. In the Recommended Policy tab, you'll find a recommended block policy based on outbound calls aggregated from the current and past runs of the job. You can update your workflow file with this policy or use the Policy Store to apply the policy without modifying the workflow file. From now on, any outbound calls not on the allowed list will be blocked.

Demo

You can use GitHub Actions Goat to try Harden-Runner. You only need a GitHub Account and a web browser.

Hands-on Tutorials for GitHub Actions Runtime Security:

1. Filter Egress Network Traffic

2. Detect File Tampering