Skip to main content

Block Egress Traffic

You can configure Harden-Runner to block traffic to remote endpoints that have not been explicitly authorized. The runtime CI/CD behavior is highly predictable as CI/CD jobs tend to do the same thing across everyone, we highly recommend you enable Block mode on Harden-Runner.

Audit Suspicious Outgoing Network Calls

When you run Harden-Runner in Audit mode, you can observe all outgoing network calls by looking for the network call icon under Operations. You can learn more about the significance of this activity by visiting Attack Simulations Audit Network Calls

Harden-Runner recommends a network egress block policy based on the runtime insights is captures in CI/CD. You can view the recommended policy on at the bottom of the insights page. Recommended Policy

After Harden-Runner is executed a few times for a workflow, you should checkout the insight page for workflow executions. If you see the same policy being recommended, it provides high confidence that Harden-Runner won't have any unintentional side effect when deployed in Block mode.

Enable Block Mode

Update the Harden-Runner section in your GitHub Actions workflow files based on the recommended policy provided on the insights page. The following image describes a sample pull request for enabling Block mode. Block Mode Pull Request

Once the workflow file has been updated, Harden-Runner will start blocking outbound requests to unauthorized endpoints. For the workflow jobs with unauthorized outbound network calls, Harden-Runner would add error annotations on the GitHub Actions workflow run page. Block Mode Annotations

You can also see details about blocked network calls on the insights page for the workflow run. Block Mode Insights Page