Policy Store

The policy store holds a collection of customized policies for your workflows, allowing you to easily manage and update policies in a single location.

Steps To Create and Use a Policy

For GitHub-Hosted Runners

Step 1: Navigate to the Policy Store

  • Open StepSecurity, then navigate to the Harden Runner section and click on Policy Store

StepSecurity Policy Store page
StepSecurity Policy Store page

Step 2: Click "Create policy"

StepSecurity Policy Store page
StepSecurity Policy Store page

Step 3: Create a New Policy

  • Enter a policy name.

  • Configure the policy settings (e.g., allowed endpoints, telemetry settings).

  • Click Add Policy to save.

StepSecurity Policy Store page showing how to create a new policy
StepSecurity Policy Store page

Step 4: Apply the Policy in Your Workflow

  • Remove any existing manual policy configurations.

  • Add the policy name under the Harden Runner step.

  • Ensure id-token: write permission is explicitly set in your workflow file. This permission is required to authenticate with the StepSecurity backend API and fetch the policy.

Here’s an example:

name: CI

on:
  pull_request:

permissions:
  contents: read
  id-token: write

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@446798f8213ac2e75931c1b0769676d927801858 # v2.10.0
      with:
        policy: Test-policy

Step 5: Verify the Integration

  • Run a test workflow to ensure the policy is applied correctly.

For Self-Hosted Runners

Policies are applied based on scope, following a defined precedence. If a workflow-level policy exists, it takes priority. If not, the system checks for a repository-level policy. If that's also absent, an organization-level policy will be applied. Finally, if none of the above are defined, the cluster-level policy will be enforced

To use the Policy Store with self-hosted runners, you first need to configure a pre-job hook:

Pre-Job Hook Setup

  • Go to Settings → Self-Hosted Runners → Runner Job Hooks.

  • Follow the provided script to configure the hook as a pre-job hook for your runner.

Once the hook is configured, proceed with policy creation:

Step 1: Navigate to the Policy Store

  • Go to the Harden Runner section

  • Click Policy Store

StepSecurity Policy Store page

Step 2: Create a Policy

  • Click Create Policy

  • Enter a policy name

  • Manually add allowed endpoints

StepSecurity Policy Store page

Step 3: Import Endpoints (Optional)

  • You can also automatically import endpoints from baseline

StepSecurity Policy Store page

Step 4: Select a baseline source

StepSecurity Policy Store page

Step 5: Click Import Endpoints

StepSecurity Policy Store page

Step 6: Save the Policy

  • Click Add Policy

StepSecurity Policy Store page

Step 5: Attach the Policy

  • Click the three-dot menu next to the policy.

  • Select Attach Policy.

StepSecurity Policy Store page

Step 6: Choose whether to attach it to a Cluster, Organization, Repository, or Workflow.

StepSecurity Policy Store page

Step 7: Click "Attach Policy"

StepSecurity Policy Store page

Example: Policy Enforcement

  • Suppose you create a policy that only allows specific endpoints

StepSecurity Policy Store page

  • During a workflow run, if the job attempts to call a domain not on the allowlist, the request will be automatically blocked.

Job Markdown

  • On the Network Events tab of the Insights page, you can see that the policy was responsible for blocking the request and causing the run to fail

Network Events Tab

Last updated

Was this helpful?