step-security · stepsecurity-int · Mar 24, 2025
diff --git a/.github/workflows/PRTargetWorkflow.yml b/.github/workflows/PRTargetWorkflow.yml
@@ -7,11 +7,19 @@ on:
       - synchronize
       - reopened
 
+permissions:
+  contents: read
+
 jobs:
   pr-target-check:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@v4
 

diff --git a/.github/workflows/anomalous-outbound-calls.yaml b/.github/workflows/anomalous-outbound-calls.yaml
@@ -1,13 +1,16 @@
 name: Anomalous Outbound Calls
 on:
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   unexpected-outbound-calls:
     name: AnomalousOutboundCalls
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
       - run: "curl https://pastebin.com -L  || true"

diff --git a/.github/workflows/arc-codecov-simulation.yml b/.github/workflows/arc-codecov-simulation.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: self-hosted
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -28,7 +28,7 @@ jobs:
           cd ./src/exfiltration-demo
           npm install
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/arc-secure-by-default.yml b/.github/workflows/arc-secure-by-default.yml
@@ -2,10 +2,18 @@ name: "ARC: Secure-By-Default Cluster-Level Policy"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   direct-ip-hosted:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
 
       # Codecov Scenario: Exfiltrate data to attacker's IP address
@@ -14,6 +22,11 @@ jobs:
   direct-ip-arc:
     runs-on: self-hosted
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
 
       # Codecov Scenario: Exfiltrate data to attacker's IP address

diff --git a/.github/workflows/arc-solarwinds-simulation.yml b/.github/workflows/arc-solarwinds-simulation.yml
@@ -6,6 +6,11 @@ jobs:
   arc-solarwinds-simulation:
     runs-on: self-hosted
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
@@ -15,7 +20,7 @@ jobs:
           cd ./src/backdoor-demo
           npm install
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/arc-zero-effort-observability.yml b/.github/workflows/arc-zero-effort-observability.yml
@@ -6,6 +6,11 @@ jobs:
   build:
     runs-on: self-hosted
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-node@v3
         with:
@@ -15,7 +20,7 @@ jobs:
           cd ./src/exfiltration-demo
           npm install
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/baseline_checks.yml b/.github/workflows/baseline_checks.yml
@@ -7,11 +7,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@int-sh
+      - uses: step-security/harden-runner@668ad3cce4bd0191ec8fdd9868adcb7521a9dacd # int-sh
         with:
           egress-policy: audit
 
-      - uses: crazy-max/ghaction-github-status@v4
+      - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0
 
       - uses: actions/checkout@v3
 
@@ -22,12 +22,12 @@ jobs:
 
       - name: get-npm-version
         id: package-version
-        uses: martinbeentjes/[email protected]
+        uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1
         with:
           path: src/exfiltration-demo
 
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml
@@ -1,13 +1,16 @@
 name: Block DNS Exfiltration With Harden-Runner
 on:
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Deploy
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: block
           allowed-endpoints: |

diff --git a/.github/workflows/changed-files-vulnerability-with-hr.yml b/.github/workflows/changed-files-vulnerability-with-hr.yml
@@ -15,7 +15,7 @@ jobs:
     name: Test changed-files
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -29,7 +29,7 @@ jobs:
       # Example 1
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@af292f1e845a0377b596972698a8598734eb2796 # v40.0.0
 
       - name: List all changed files
         run: |

diff --git a/.github/workflows/changed-files-vulnerability-without-hr.yml b/.github/workflows/changed-files-vulnerability-without-hr.yml
@@ -14,14 +14,19 @@ jobs:
     runs-on: ubuntu-latest
     name: Test changed-files
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       # Example 1
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v40
+        uses: tj-actions/changed-files@af292f1e845a0377b596972698a8598734eb2796 # v40.0.0
 
       - name: List all changed files
         run: |

diff --git a/.github/workflows/hosted-file-monitor-with-hr.yml b/.github/workflows/hosted-file-monitor-with-hr.yml
@@ -6,7 +6,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
@@ -17,13 +17,13 @@ jobs:
           cd ./src/backdoor-demo
           npm install
 
-      - uses: madhead/semver-utils@latest
+      - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest
         id: version
         with:
           version: 1.2.3
 
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/hosted-file-monitor-without-hr.yml b/.github/workflows/hosted-file-monitor-without-hr.yml
@@ -6,20 +6,25 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
 
       - name: npm install
         run: |
           cd ./src/backdoor-demo
           npm install
 
-      - uses: madhead/semver-utils@latest
+      - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest
         id: version
         with:
           version: 1.2.3
 
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/hosted-https-monitoring-hr.yml b/.github/workflows/hosted-https-monitoring-hr.yml
@@ -2,17 +2,23 @@ name: "Hosted: HTTPS Monitoring with Harden-Runner"
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: read  # for JasonEtco/create-an-issue to read template files
+      issues: write  # for JasonEtco/create-an-issue to create new issues
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
       - uses: actions/checkout@v3
 
-      - uses: JasonEtco/create-an-issue@v2
+      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

diff --git a/.github/workflows/hosted-network-filtering-hr.yml b/.github/workflows/hosted-network-filtering-hr.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@v2
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -17,7 +17,7 @@ jobs:
             registry.npmjs.org:443
             www.githubstatus.com:443
 
-      - uses: crazy-max/ghaction-github-status@v4
+      - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0
 
       - uses: actions/checkout@v3
 
@@ -28,17 +28,17 @@ jobs:
 
       - name: get-npm-version
         id: package-version
-        uses: martinbeentjes/[email protected]
+        uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1
         with:
           path: src/exfiltration-demo
 
-      - uses: madhead/semver-utils@latest
+      - uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # latest
         id: version
         with:
           version: 1.2.3
 
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/hosted-network-monitoring-hr.yml b/.github/workflows/hosted-network-monitoring-hr.yml
@@ -10,7 +10,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: crazy-max/ghaction-github-status@v4
+      - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0
 
       - uses: actions/checkout@v3
 
@@ -21,12 +21,12 @@ jobs:
 
       - name: get-npm-version
         id: package-version
-        uses: martinbeentjes/[email protected]
+        uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1
         with:
           path: src/exfiltration-demo
 
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}

diff --git a/.github/workflows/hosted-network-without-hr.yml b/.github/workflows/hosted-network-without-hr.yml
@@ -6,7 +6,12 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: crazy-max/ghaction-github-status@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: crazy-max/ghaction-github-status@6aadd1a8de5ca43c8e17a0633ef90e2178da5228 # v4.1.0
 
       - uses: actions/checkout@v3
 
@@ -17,12 +22,12 @@ jobs:
 
       - name: get-npm-version
         id: package-version
-        uses: martinbeentjes/[email protected]
+        uses: martinbeentjes/npm-get-version-action@3cf273023a0dda27efcd3164bdfb51908dd46a5b # v1.3.1
         with:
           path: src/exfiltration-demo
 
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@v5
+        uses: elgohr/Publish-Docker-Github-Action@eb53b3ec07136a6ebaed78d8135806da64f7c7e2 # v5
         with:
           name: ${{ github.repository }}/prod:latest
           username: ${{ github.actor }}