Block Egress Traffic
You can configure Harden-Runner to block traffic to remote endpoints that have not been explicitly authorized. The runtime CI/CD behavior is highly predictable as CI/CD jobs tend to do the same thing across everyone, we highly recommend you enable
Block mode on Harden-Runner.
Audit Suspicious Outgoing Network Calls
When you run Harden-Runner in
Audit mode, you can observe all outgoing network calls by looking for the network call icon under
Operations. You can learn more about the significance of this activity by visiting
Access Recommended Block Policy
Harden-Runner recommends a network egress block policy based on the runtime insights is captures in CI/CD. You can view the recommended policy on at the bottom of the insights page.
After Harden-Runner is executed a few times for a workflow, you should checkout the insight page for workflow executions. If you see the same policy being recommended, it provides high confidence that Harden-Runner won't have any unintentional side effect when deployed in
Enable Block Mode
Update the Harden-Runner section in your GitHub Actions workflow files based on the recommended policy provided on the insights page. The following image describes a sample pull request for enabling
Once the workflow file has been updated, Harden-Runner will start blocking outbound requests to unauthorized endpoints. For the workflow jobs with unauthorized outbound network calls, Harden-Runner would add error annotations on the GitHub Actions workflow run page.
You can also see details about blocked network calls on the insights page for the workflow run.