Block Egress Traffic
You can configure Harden-Runner to block traffic to remote endpoints that have not been explicitly authorized. The runtime CI/CD behavior is highly predictable as CI/CD jobs tend to do the same thing across everyone, we highly recommend you enable Block
mode on Harden-Runner.
Audit Suspicious Outgoing Network Calls
When you run Harden-Runner in Audit
mode, you can observe all outgoing network calls by looking for the network call icon under Operations
. You can learn more about the significance of this activity by visiting Attack Simulations
Access Recommended Block Policy
Harden-Runner recommends a network egress block policy based on the runtime insights is captures in CI/CD. You can view the recommended policy on at the bottom of the insights page.
After Harden-Runner is executed a few times for a workflow, you should checkout the insight page for workflow executions. If you see the same policy being recommended, it provides high confidence that Harden-Runner won't have any unintentional side effect when deployed in Block
mode.
Enable Block Mode
Update the Harden-Runner section in your GitHub Actions workflow files based on the recommended policy provided on the insights page. The following image describes a sample pull request for enabling Block
mode.
Once the workflow file has been updated, Harden-Runner will start blocking outbound requests to unauthorized endpoints. For the workflow jobs with unauthorized outbound network calls, Harden-Runner would add error annotations on the GitHub Actions workflow run page.
You can also see details about blocked network calls on the insights page for the workflow run.