Skip to main content

Enable Runtime Security (Actions Runner Controller)

Actions Runner Controller (ARC) is a Kubernetes operator that orchestrates and scales self-hosted runners for GitHub Actions.

1
Rather than incorporating the HardenRunner GitHub Action into each individual workflow, you'll need to install the ARC-Harden-Runner daemonset on your Kubernetes cluster.
2
Upon deployment, the ARC-Harden-Runner daemonset constantly monitors each workflow run.
3
You can access security insights and runtime detections under the Runtime Security tab in your dashboard.
info

Please email us at support@stepsecurity.io for instructions on how to install the ARC-Harden-Runner daemonset on your Kubernetes cluster.

Demo

For a demo of a workflow running on ARC with Harden Runner integrated, please refer to following links:

Network Monitoring

  1. View this workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-zero-effort-observability.yml

    Notice that harden-runner Action is not added to this workflow, and that this workflow runs on a self-hosted runner.

  2. Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6292615173

  3. Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292615173 You can see the outbound traffic for each of the steps, without the need to add harden-runner to each job.

Even though you do not need to add Harden-Runner Action, the insights are exactly the same as with GitHub-Hosted runner.

Secure-by-default ARC Cluster Level Network Policy

You can apply a secure-by-default ARC Cluster Level Network Policy that restricts outbound traffic for any job that is run on the ARC managed runners. This ensures that all workflows have a baseline restrictive policy applied.

To see this in action, follow these steps:

  1. View this workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-secure-by-default.yml

    Notice that harden-runner Action is not added to this workflow. This workflow has two jobs. One runs on a self-hosted runner secured by ARC Harden-Runner and the other on a GitHub-Hosted runner. Both jobs make an outbound call to a direct IP address.

  2. Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6285441911

    The call to the direct IP address succeeds for the GitHub-Hosted runner, but is blocked for the self-hosted runner. This is because ARC Harden-Runner does not allow calls to direct IP addresses in the secure-by-default policy. Typically workflows do not need to make calls to direct IP addresses, but compromised tools or dependencies sometimes make calls to direct IP addresses to avoid detection from DNS monitoring.

  3. Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285441911

    You will see that the call to the direct IP address has been blocked.

Network Filtering with Harden Runner

While there is a secure-by-default policy, to filter traffic to specific destinations in a job run in self-hosted ARC runner, you use the harden-runner GitHub Action in block mode.

  1. View the workflow file: https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-codecov-simulation.yml

    Notice that harden-runner Action is added and there is a list of allowed endpoints.

  2. Check out an example run of this workflow here: https://github.com/step-security/github-actions-goat/actions/runs/6292614301

  3. Visit the workflow insights for this run here: https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292614301

    You will notice that the call to attacker.com was blocked in this case.