Harden GitHub Actions Workflow - hosted-network-filtering-hr.yml

Fixes #198 Add fine-grained permissions for GitHub tokens in multiple workflow files to enhance security by limiting access scope. * **Documentation Update** - Add a section on using fine-grained permissions for GitHub tokens in `docs/Solutions/FixGITHUB_TOKENPermissions.md`. - Include an example of setting `permissions: contents: read` in a workflow file. - Mention the importance of the principle of least privilege. * **Workflow Files Update** - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-network-filtering-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-file-monitor-with-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-file-monitor-without-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-https-monitoring-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-network-monitoring-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/hosted-network-without-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-codecov-simulation.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-secure-by-default.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-solarwinds-simulation.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/arc-zero-effort-observability.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/baseline_checks.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/block-dns-exfiltration.yaml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/changed-files-vulnerability-with-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/changed-files-vulnerability-without-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/publish.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/self-hosted-file-monitor-with-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/self-hosted-network-filtering-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/self-hosted-network-monitoring-hr.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/unexpected-outbound-calls.yml`. - Add `permissions: contents: read` under the `on` section in `.github/workflows/anomalous-outbound-calls.yaml`. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/step-security/github-actions-goat/issues/198?shareId=XXXX-XXXX-XXXX-XXXX).
step-security · Jan 26, 2025 · db630c6 · db630c6
1 parent 4791440
commit db630c6
Show file tree

Hide file tree

Showing 21 changed files with 95 additions and 0 deletions.
diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml
@@ -1,6 +1,10 @@
 name: Anomalous Outbound Calls
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   unexpected-outbound-calls:
     name: AnomalousOutboundCalls

diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml
@@ -2,6 +2,9 @@ name: "ARC: Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: self-hosted

diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml
@@ -1,6 +1,9 @@
 name: "ARC: Secure-By-Default Cluster-Level Policy"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   direct-ip-hosted:

diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml
@@ -2,6 +2,9 @@ name: "ARC: File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   arc-solarwinds-simulation:
     runs-on: self-hosted

diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml
@@ -2,6 +2,9 @@ name: "ARC: Zero-effort Observability"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: self-hosted

diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml
@@ -3,6 +3,9 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml
@@ -1,6 +1,10 @@
 name: Block DNS Exfiltration With Harden-Runner
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Deploy

diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   pull-requests: read
+  contents: read
 
 jobs:
   changed_files:

diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   pull-requests: read
+  contents: read
 
 jobs:
   changed_files:

diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml
@@ -2,6 +2,9 @@ name: "Hosted: File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml
@@ -2,6 +2,9 @@ name: "Hosted: File Monitoring without Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml
@@ -2,6 +2,9 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml
@@ -2,6 +2,9 @@ name: "Hosted: Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml
@@ -1,6 +1,9 @@
 name: "Hosted: Network Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml
@@ -1,6 +1,9 @@
 name: "Hosted: Network Monitoring without Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -2,6 +2,9 @@ name: Puzzle
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml
@@ -2,6 +2,9 @@ name: "Self-Hosted (VM): File Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: [self-hosted, ec2]

diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml
@@ -1,6 +1,9 @@
 name: "Self-Hosted (VM): Network Filtering with Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml
@@ -1,6 +1,9 @@
 name: "Self-Hosted (VM): Network Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   build:

diff --git a/.github/workflows/unexpected-outbound-calls.yml b/.github/workflows/unexpected-outbound-calls.yml
@@ -1,6 +1,10 @@
 name: Unexpected Outbound Calls
 on:
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   unexpected-outbound-calls:
     name: UnexpectedOutboundCalls

diff --git a/docs/Solutions/FixGITHUB_TOKENPermissions.md b/docs/Solutions/FixGITHUB_TOKENPermissions.md
@@ -19,3 +19,39 @@ In this tutorial you will update the token permissions for workflows in this rep
 6. Merge the pull request. Check the permissions for the jobs in the "Set up job" section of the workflow run log. You will notice that the permissions are set to the minimum needed.
 
 > https://app.stepsecurity.io/securerepo has been used by over 500 public repositories to apply GitHub Actions Security best practices. You can browse pull requests for the Top 50 repositories at https://app.stepsecurity.io/securerepo/trending
+
+## Using Fine-Grained Permissions for GitHub Tokens
+
+To enhance security, it is important to use fine-grained permissions for GitHub tokens. This follows the principle of least privilege, ensuring that each job only has access to what it absolutely needs.
+
+### Example
+
+In the `.github/workflows/hosted-network-filtering-hr.yml` file, you can add `permissions: contents: read` to limit access:
+
+```yaml
+name: "Hosted: Network Filtering with Harden-Runner"
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            www.githubstatus.com:443
+      - uses: crazy-max/ghaction-github-status@v4
+      - uses: actions/checkout@v3
+      - run: |
+          curl https://exfiltrationdemo.blob.core.windows.net/
+```
+
+By setting the minimum required permissions for the GitHub token in your workflows, you can significantly reduce the risk of accidental or malicious misuse.