CI hardening: egress traffic block mode (#195)

* Bump hardened GitHub Actions runner image version * [CI hardening] Update allowed egress endpoints for unit tests * [CI hardening] Allow-list for static analysis CI job * [CI hardening] Allow-list for docker push CI job egress traffic * [CI hardening] Allow-list for docs CI job egress traffic * [CI hardening] Allow-list for release CI job egress traffic * Removed unnecessary allowed endpoint in CI job
DataDog · Sep 30, 2022 · 8542768 · 8542768
1 parent c026705
commit 8542768
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 18 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -20,9 +20,15 @@ jobs:
       packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            ghcr.io:443
+            github.com:443
+            pkg-containers.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            registry-1.docker.io:443
 
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -19,9 +19,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
 
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
       - uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,9 +19,17 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            goreleaser.com:443
+            objects.githubusercontent.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            uploads.github.com:443
 
       - name: Checkout
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -17,10 +17,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            proxy.golang.org:443
+            storage.googleapis.com:443
+            sum.golang.org:443
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
         with:
           fetch-depth: 1

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,15 +16,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
         with:
           egress-policy: block
           allowed-endpoints:
-            pipelines.actions.githubusercontent.com:443
             github.com:443
             proxy.golang.org:443
             storage.googleapis.com:443
-
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
 
@@ -40,18 +38,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
+        uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34
         with:
           egress-policy: block
           allowed-endpoints:
-            github.com:443
-            registry-1.docker.io:443
             auth.docker.io:443
-            pipelines.actions.githubusercontent.com:443
-            production.cloudflare.docker.com:443
             dl-cdn.alpinelinux.org:443
+            github.com:443
+            production.cloudflare.docker.com:443
             proxy.golang.org:443
-            storage.googleapis.com
+            registry-1.docker.io:443
+            storage.googleapis.com:443
 
       - name: Checkout repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b