Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update arguments for the different Step Security workflows. #486

Open
jenstroeger opened this issue Feb 26, 2023 · 3 comments
Open

Update arguments for the different Step Security workflows. #486

jenstroeger opened this issue Feb 26, 2023 · 3 comments
Labels
ci Improvements or additions to CI checks enhancement New feature or request github_actions Pull requests that update Github_actions code security Security related features or bugs

Comments

@jenstroeger
Copy link
Owner

Looking at Step Security’s Harden Runner results (see workflow run 4222519143) it would probably make sense to incorporate their Recommended Policy feedback for the four runs we use in our workflows?

@jenstroeger jenstroeger added enhancement New feature or request security Security related features or bugs ci Improvements or additions to CI checks github_actions Pull requests that update Github_actions code labels Feb 26, 2023
@behnazh
Copy link
Collaborator

behnazh commented Apr 2, 2023

Based on the recommendation, should we add the allowed list to every step or is it possible to specify it in a central policy?

@jenstroeger
Copy link
Owner Author

@behnazh I didn’t find a central/shared policy documented in the Harden Runner docs.

I wonder if it would make sense, because different workflows do different things and therefore might need different policies. Having said that, it would be nice to specify a common/central/shared “base policy” which can then be overridden by specific policies using the with: ... (Would save a lot of typing in our case 🤓)

@varunsh-coder do you have thoughts on this?

@varunsh-coder
Copy link

@jenstroeger next week, we are releasing a new feature to store policies using the insights website (tracking issue). This will allow specifying the policy in one place and referring to it from different jobs.

You can see a demo workflow here, and I can share the updated documentation once it is released.

There is a discussion about where/ how to store the policy in this discussion item. Feel free to add to that. I have not seen a base policy idea listed there before.

Also, you can prioritize setting policies in specific jobs that are more security sensitive, e.g., where credentials are used, and/ or release builds are created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci Improvements or additions to CI checks enhancement New feature or request github_actions Pull requests that update Github_actions code security Security related features or bugs
Projects
None yet
Development

No branches or pull requests

3 participants