Policy Store

The policy store holds a collection of customized policies for your workflows, allowing you to easily manage and update policies in a single location.

Steps To Create and Use a Policy

For GitHub-Hosted Runners

Step 1: Navigate to the Policy Store

• Go to the Harden Runner section

• Click Policy Store

Step 2: Create a Policy

• Click Create Policy

• Enter a policy name

• Manually add allowed endpoints

Step 3: Import Endpoints (Optional)

• You can also automatically import endpoints from baseline

Step 4: Select a baseline source

Choose the source you want to use as the baseline. This can be one of the following:

• Organization

• Repository

• Arc Cluster

• Job

• Local file

Step 5: Click Import Endpoints

Step 6: Save the Policy

• Click Add Policy

Step 7: Apply the Policy in Your Workflow

• Remove any existing manual policy configurations.

• Add the policy name under the Harden Runner step.

• Ensure id-token: write permission is explicitly set in your workflow file. This permission is required to authenticate with the StepSecurity backend API and fetch the policy.

Here’s an example:

Step 8: Verify the Integration

• Run a test workflow to ensure the policy is applied correctly.

For GitHub-Hosted Custom VMs and Self-Hosted Runners

Policies are applied based on scope, following a defined precedence. If a workflow-level policy exists, it takes priority. If not, the system checks for a repository-level policy. If that's also absent, an organization-level policy will be applied. Finally, if none of the above are defined, the cluster-level policy will be enforced

To use the Policy Store with self-hosted runners or GitHub-Hosted Custom Vms, you first need to configure a pre-job hook:

Pre-Job Hook Setup

• Go to Settings → Harden-Runner Installation → Runner Job Hooks.

• Follow the provided script to configure the hook as a pre-job hook for your runner.

Once the hook is configured, proceed with policy creation:

Step 1: Navigate to the Policy Store

• Go to the Harden Runner section

• Click Policy Store

Step 2: Create a Policy

• Click Create Policy

• Enter a policy name

• Manually add allowed endpoints

Step 3: Import Endpoints (Optional)

• You can also automatically import endpoints from baseline

Step 4: Select a baseline source

Choose the source you want to use as the baseline. This can be one of the following:

• Organization

• Repository

• Arc Cluster

• Job

• Local file

Step 5: Click Import Endpoints

Step 6: Save the Policy

• Click Add Policy

Step 5: Attach the Policy

• Click the three-dot menu next to the policy.

• Select Attach Policy.

Step 6: Choose whether to attach it to a Cluster, Organization, Repository, or Workflow.

Step 7: Click "Attach Policy"

Example: Policy Enforcement

• Suppose you create a policy that only allows specific endpoints

• During a workflow run, if the job attempts to call a domain not on the allowlist, the request will be automatically blocked.

• On the Network Events tab of the Insights page, you can see that the policy was responsible for blocking the request and causing the run to fail

Alternative way of Creating Policies

You can also create policies directly from the Baseline page.

When you do this, the endpoints associated with the selected job, repository, ARC cluster, or GitHub organization are automatically used to configure the policy.

Step 1: Navigate to the Baseline page under the Harden-Runner dropdown

Step 2: Click "Create Policy"

Step 3: Click "Create Policy" again to confirm

Step 4: You will be redirected to the new policy page, with the relevant endpoints automatically populated.

Step 5(Optional): Export the endpoints to a text file by clicking Export Endpoints.

Step 6: Click "Add policy" to finalize the setup.