From 417be5560447c504acb5d2233dcd11ec09764131 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Fri, 27 Mar 2026 12:08:59 +0000 Subject: [PATCH] feat(security): block mode for hardened runners (#10482) --- .github/workflows/api-code-quality.yml | 9 +++- .github/workflows/api-codeql.yml | 8 +++- .../workflows/api-container-build-push.yml | 43 ++++++++++++++----- .github/workflows/api-container-checks.yml | 28 ++++++++++-- .github/workflows/api-security.yml | 12 +++++- .github/workflows/api-tests.yml | 15 ++++++- .github/workflows/backport.yml | 6 ++- .github/workflows/ci-zizmor.yml | 9 +++- .github/workflows/find-secrets.yml | 8 +++- .../workflows/mcp-container-build-push.yml | 33 ++++++++++---- .github/workflows/mcp-container-checks.yml | 22 ++++++++-- .github/workflows/pr-check-changelog.yml | 7 ++- .github/workflows/pr-merged.yml | 6 ++- .../sdk-check-duplicate-test-names.yml | 6 ++- .github/workflows/sdk-code-quality.yml | 8 +++- .github/workflows/sdk-codeql.yml | 8 +++- .../workflows/sdk-container-build-push.yml | 41 +++++++++++++++--- .github/workflows/sdk-container-checks.yml | 27 ++++++++++-- .github/workflows/sdk-security.yml | 12 +++++- .github/workflows/sdk-tests.yml | 10 ++++- .github/workflows/test-impact-analysis.yml | 8 +++- .github/workflows/ui-codeql.yml | 8 +++- .github/workflows/ui-container-build-push.yml | 29 ++++++++++--- .github/workflows/ui-container-checks.yml | 22 ++++++++-- .github/workflows/ui-tests.yml | 11 ++++- 25 files changed, 315 insertions(+), 81 deletions(-) diff --git a/.github/workflows/api-code-quality.yml b/.github/workflows/api-code-quality.yml index 27bd65bea9..68928833a2 100644 --- a/.github/workflows/api-code-quality.yml +++ b/.github/workflows/api-code-quality.yml @@ -32,10 +32,15 @@ jobs: working-directory: ./api steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 + api.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/api-codeql.yml b/.github/workflows/api-codeql.yml index 47f165cb80..6578f7d90a 100644 --- a/.github/workflows/api-codeql.yml +++ b/.github/workflows/api-codeql.yml @@ -41,10 +41,14 @@ jobs: - 'python' steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 + uploads.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index f98dc06e46..7b97e386a9 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -43,10 +43,10 @@ jobs: permissions: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block - name: Calculate short SHA id: set-short-sha @@ -62,10 +62,10 @@ jobs: permissions: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -105,10 +105,24 @@ jobs: packages: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + debian.map.fastlydns.net:80 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 + www.powershellgallery.com:443 + aka.ms:443 + cdn.powershellgallery.com:443 + _http._tcp.deb.debian.org:443 + powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -152,11 +166,16 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit - + egress-policy: block + allowed-endpoints: > + github.com:443 + release-assets.githubusercontent.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: @@ -257,10 +276,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Trigger API deployment uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml index 96eb06269a..ec130663d6 100644 --- a/.github/workflows/api-container-checks.yml +++ b/.github/workflows/api-container-checks.yml @@ -27,10 +27,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -70,10 +72,28 @@ jobs: pull-requests: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + mirror.gcr.io:443 + check.trivy.dev:443 + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + debian.map.fastlydns.net:80 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 + www.powershellgallery.com:443 + aka.ms:443 + cdn.powershellgallery.com:443 + _http._tcp.deb.debian.org:443 + powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443 + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/api-security.yml b/.github/workflows/api-security.yml index e3c0a289ad..9cd6b14623 100644 --- a/.github/workflows/api-security.yml +++ b/.github/workflows/api-security.yml @@ -32,10 +32,18 @@ jobs: working-directory: ./api steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + pypi.org:443 + files.pythonhosted.org:443 + github.com:443 + auth.safetycli.com:443 + pyup.io:443 + data.safetycli.com:443 + api.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml index e27c1894d2..ce00b03108 100644 --- a/.github/workflows/api-tests.yml +++ b/.github/workflows/api-tests.yml @@ -75,10 +75,21 @@ jobs: --health-retries 5 steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 + cli.codecov.io:443 + keybase.io:443 + ingest.codecov.io:443 + storage.googleapis.com:443 + o26192.ingest.us.sentry.io:443 + api.github.com:443 + - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index abf441e603..feb8c7c9bf 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -27,10 +27,12 @@ jobs: pull-requests: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Check labels id: label_check diff --git a/.github/workflows/ci-zizmor.yml b/.github/workflows/ci-zizmor.yml index 4d8f0ceb46..5962b01efd 100644 --- a/.github/workflows/ci-zizmor.yml +++ b/.github/workflows/ci-zizmor.yml @@ -33,10 +33,15 @@ jobs: actions: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + api.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml index 08937815a3..af0a9c7e78 100644 --- a/.github/workflows/find-secrets.yml +++ b/.github/workflows/find-secrets.yml @@ -22,10 +22,14 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/mcp-container-build-push.yml b/.github/workflows/mcp-container-build-push.yml index fa29cf43ca..b7cf98aedb 100644 --- a/.github/workflows/mcp-container-build-push.yml +++ b/.github/workflows/mcp-container-build-push.yml @@ -42,10 +42,10 @@ jobs: permissions: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block - name: Calculate short SHA id: set-short-sha @@ -103,10 +103,19 @@ jobs: contents: read packages: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + files.pythonhosted.org:443 + pypi.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -152,10 +161,16 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + github.com:443 + release-assets.githubusercontent.com:443 - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 @@ -257,10 +272,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Trigger MCP deployment uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml index 5fb6b65d4e..f8fbfca12f 100644 --- a/.github/workflows/mcp-container-checks.yml +++ b/.github/workflows/mcp-container-checks.yml @@ -27,10 +27,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -69,10 +71,22 @@ jobs: pull-requests: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + files.pythonhosted.org:443 + pypi.org:443 + api.github.com:443 + mirror.gcr.io:443 + check.trivy.dev:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/pr-check-changelog.yml b/.github/workflows/pr-check-changelog.yml index 1439833499..c729875843 100644 --- a/.github/workflows/pr-check-changelog.yml +++ b/.github/workflows/pr-check-changelog.yml @@ -28,10 +28,13 @@ jobs: MONITORED_FOLDERS: 'api ui prowler mcp_server' steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index 6b18eb40c1..62eca02e58 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -23,10 +23,12 @@ jobs: permissions: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Calculate short commit SHA id: vars diff --git a/.github/workflows/sdk-check-duplicate-test-names.yml b/.github/workflows/sdk-check-duplicate-test-names.yml index c5f2ddee32..ac8a01d117 100644 --- a/.github/workflows/sdk-check-duplicate-test-names.yml +++ b/.github/workflows/sdk-check-duplicate-test-names.yml @@ -19,10 +19,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/sdk-code-quality.yml b/.github/workflows/sdk-code-quality.yml index db6eae1e0b..33f7e931e6 100644 --- a/.github/workflows/sdk-code-quality.yml +++ b/.github/workflows/sdk-code-quality.yml @@ -30,10 +30,14 @@ jobs: - '3.12' steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/sdk-codeql.yml b/.github/workflows/sdk-codeql.yml index 372b1f78fb..3bd6434d48 100644 --- a/.github/workflows/sdk-codeql.yml +++ b/.github/workflows/sdk-codeql.yml @@ -48,10 +48,14 @@ jobs: - 'python' steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/sdk-container-build-push.yml b/.github/workflows/sdk-container-build-push.yml index de45f325c9..91c7689155 100644 --- a/.github/workflows/sdk-container-build-push.yml +++ b/.github/workflows/sdk-container-build-push.yml @@ -59,10 +59,14 @@ jobs: permissions: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -165,10 +169,26 @@ jobs: packages: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.ecr-public.us-east-1.amazonaws.com:443 + public.ecr.aws:443 + registry-1.docker.io:443 + production.cloudflare.docker.com:443 + auth.docker.io:443 + debian.map.fastlydns.net:80 + github.com:443 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 + www.powershellgallery.com:443 + aka.ms:443 + cdn.powershellgallery.com:443 + _http._tcp.deb.debian.org:443 + powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -216,10 +236,19 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + registry-1.docker.io:443 + auth.docker.io:443 + public.ecr.aws:443 + production.cloudflare.docker.com:443 + github.com:443 + release-assets.githubusercontent.com:443 + api.ecr-public.us-east-1.amazonaws.com:443 + - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml index 21fd089ad7..449324cb32 100644 --- a/.github/workflows/sdk-container-checks.yml +++ b/.github/workflows/sdk-container-checks.yml @@ -26,10 +26,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -69,10 +71,27 @@ jobs: pull-requests: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + api.github.com:443 + mirror.gcr.io:443 + check.trivy.dev:443 + debian.map.fastlydns.net:80 + release-assets.githubusercontent.com:443 + pypi.org:443 + files.pythonhosted.org:443 + www.powershellgallery.com:443 + aka.ms:443 + cdn.powershellgallery.com:443 + _http._tcp.deb.debian.org:443 + powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/sdk-security.yml b/.github/workflows/sdk-security.yml index bc07101646..2229568b3f 100644 --- a/.github/workflows/sdk-security.yml +++ b/.github/workflows/sdk-security.yml @@ -23,10 +23,18 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + pypi.org:443 + files.pythonhosted.org:443 + github.com:443 + auth.safetycli.com:443 + pyup.io:443 + data.safetycli.com:443 + api.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/sdk-tests.yml b/.github/workflows/sdk-tests.yml index 42e6b15291..9b2cce14b3 100644 --- a/.github/workflows/sdk-tests.yml +++ b/.github/workflows/sdk-tests.yml @@ -30,10 +30,16 @@ jobs: - '3.12' steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 + api.github.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/test-impact-analysis.yml b/.github/workflows/test-impact-analysis.yml index be7361a71c..f03f99d0fc 100644 --- a/.github/workflows/test-impact-analysis.yml +++ b/.github/workflows/test-impact-analysis.yml @@ -49,10 +49,14 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + pypi.org:443 + files.pythonhosted.org:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/ui-codeql.yml b/.github/workflows/ui-codeql.yml index dd1c443f7c..d075872d45 100644 --- a/.github/workflows/ui-codeql.yml +++ b/.github/workflows/ui-codeql.yml @@ -44,10 +44,14 @@ jobs: - 'javascript-typescript' steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + uploads.github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/ui-container-build-push.yml b/.github/workflows/ui-container-build-push.yml index eb2a4a7cd3..afc56369fc 100644 --- a/.github/workflows/ui-container-build-push.yml +++ b/.github/workflows/ui-container-build-push.yml @@ -107,10 +107,19 @@ jobs: packages: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + registry-1.docker.io:443 + production.cloudflare.docker.com:443 + auth.docker.io:443 + registry.npmjs.org:443 + dl-cdn.alpinelinux.org:443 + fonts.googleapis.com:443 + fonts.gstatic.com:443 + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -151,10 +160,16 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + release-assets.githubusercontent.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 - name: Login to DockerHub uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 @@ -256,10 +271,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 - name: Trigger UI deployment uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml index 8a0f6950d8..246e15a8f9 100644 --- a/.github/workflows/ui-container-checks.yml +++ b/.github/workflows/ui-container-checks.yml @@ -27,10 +27,12 @@ jobs: contents: read steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -70,10 +72,22 @@ jobs: pull-requests: write steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry-1.docker.io:443 + auth.docker.io:443 + production.cloudflare.docker.com:443 + registry.npmjs.org:443 + dl-cdn.alpinelinux.org:443 + fonts.googleapis.com:443 + fonts.gstatic.com:443 + api.github.com:443 + mirror.gcr.io:443 + check.trivy.dev:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index 7009e67f04..d60046dcbd 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -29,10 +29,17 @@ jobs: working-directory: ./ui steps: - - name: Harden the runner (Audit all outbound calls) + - name: Harden Runner uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + registry.npmjs.org:443 + fonts.googleapis.com:443 + fonts.gstatic.com:443 + api.github.com:443 + release-assets.githubusercontent.com:443 - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2