Skip to main content

Block Egress Traffic

You can configure Harden-Runner to block traffic to remote endpoints that have not been explicitly authorized. The runtime CI/CD behavior is highly predictable as CI/CD jobs tend to do the same thing across everyone, we highly recommend you enable Block mode on Harden-Runner.

Audit Suspicious Outgoing Network Calls

When you run Harden-Runner in Audit mode, you can observe all outgoing network calls by looking for the network call icon under Operations. You can learn more about the significance of this activity by visiting Attack Simulations Audit Network Calls

Harden-Runner recommends a network egress block policy based on the runtime insights is captures in CI/CD. You can view the recommended policy on at the bottom of the insights page. Recommended Policy

After Harden-Runner is executed a few times for a workflow, you should checkout the insight page for workflow executions. If you see the same policy being recommended, it provides high confidence that Harden-Runner won't have any unintentional side effect when deployed in Block mode.

Enable Block Mode

There are two ways to set a policy to enable block mode.

1. Add the policy to the workflow file

Update the Harden-Runner section in your GitHub Actions workflow files based on the recommended policy provided on the insights page. The following image describes a sample pull request for enabling Block mode. Block Mode Pull Request

Once the workflow file has been updated, Harden-Runner will start blocking outbound requests to unauthorized endpoints. For the workflow jobs with unauthorized outbound network calls, Harden-Runner would add error annotations on the GitHub Actions workflow run page. Block Mode Annotations

You can also see details about blocked network calls on the insights page for the workflow run. Block Mode Insights Page

2. Add the policy using the Policy Store

The Policy Store helps you manage Harden Runner policies without altering your workflow files.

To access it, visit this link: https://app.stepsecurity.io/github/your-org/actions/policies, and replace your-org with your GitHub organization's name. Make sure you have the Harden Runner App installed.

You can create a new policy using the easy-to-use interface. Copy and paste the allowed endpoints from the insights page into the policy, and set the egress-policy to block.

Policy store

Link the policy to a job by using the policy attribute.

Workflow job using the Policy store

To let Harden Runner authenticate the job with the StepSecurity API and retrieve policy details, you must set the id-token: write permission.

Now, the job will fetch the policy and apply it during the job run. If you need to modify the allowed endpoints or other policy attributes, you can do so in the Policy Store without updating the workflow file.

Support for wildcard domains

Wildcard domains are supported in block mode, e.g. you can add *.data.mcr.microsoft.com:443 to the allowed list, and egress traffic will be allowed to eastus.data.mcr.microsoft.com:443 and westus.data.mcr.microsoft.com:443.

Here is an example of how to use wildcard domains in the egress policy

name: Harden Runner
uses: step-security/harden-runner@v2
with:
  egress-policy: block
  allowed-endpoints: >
    api.github.com:443
    github.com:443
    *.data.mcr.microsoft.com:443