harden-runner
rfcs
Our great sponsors
harden-runner | rfcs | |
---|---|---|
15 | 7 | |
491 | 44 | |
6.1% | - | |
7.5 | 4.6 | |
7 days ago | 5 months ago | |
TypeScript | ||
Apache License 2.0 | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
harden-runner
-
Securizing your GitHub org
Fortunately there is a great free online tool that help you by doing all the hard work (it will open a pull-request and automatically fix issues).
- harden-runner: Protect your CI/CD pipeline from SolarWinds and Codecov-Type Attacks with the Harden-Runner Security Agent
- Show HN: Protect Your CI/CD from SolarWinds-Type Attacks with This Agent
-
Compromised PyTorch-nightly dependency chain December 30th, 2022
If using GitHub Actions for CI/ CD, Harden Runner (https://github.com/step-security/harden-runner) can be used to audit and block DNS exfiltration. Outbound calls from CI are predictable (to source repo, artifact registry, etc.) and don't change often.
-
Attack Simulator for SolarWinds, Codecov, and ua-parser-js breaches
As part of writing tests for Harden Runner GitHub Action, which prevents such attacks, there was a need to write attack simulator for these attacks.
-
py-template: one-click extensive GitHub Actions pipelines for your Python projects!
I am not too familiar with GitLab, to be honest, but: - Commit/PR linting (to be in tandem with semantic versioning) is implemented via third-party GitHub Actions (https://github.com/amannn/action-semantic-pull-request and https://github.com/wagoid/commitlint-github-action), these might be hard to transfer - Blocking egress to mitigate supply chain attacks is performed by step security’s Harden Runner (https://github.com/step-security/harden-runner), you may raise a question there about GitLab support - CodeQL support is GitHub only AFAIK (but you would have to verify it)
-
Securing a GitHub repo is a ton of work
I've found StepSecurity's tooling helpful in getting my repos secured.
* https://app.stepsecurity.io/securerepo
-
Sigstore
I agree. There are projects such as https://github.com/ossf/package-analysis and https://github.com/step-security/harden-runner that do behavior analysis. Disclaimer: I’m maintainer of the second one.
-
Best practices to keep your projects secure on GitHub
So if you are concerned about this, I'd suggest looking at the following:
* OpenSSF Scorecard Action - https://github.com/ossf/scorecard#scorecards-github-action
* Step Security Harden Action - https://github.com/step-security/harden-runner
I realize that this means trusting these providers but they seem at least tacitly blessed by GitHub. https://docs.github.com/en/actions/security-guides/security-...
-
Video of malware node packages trying to phone home
Few hours back several malicious packages were released on npm registry. This video shows how some of these packages are making outbound calls as part of the preinstall step when executed in a GitHub Actions workflow. DNS Exfiltration and network calls detected by Harden-Runner GitHub Action https://github.com/step-security/harden-runner
rfcs
-
Ruby Shield: Shopify donates $1M to stewards of rubygems, bundler
I can give a limited answer based on my own day-to-day work. I work in Ruby Dependency Security, which is the team who are most involved in helping out with rubygems.org and RubyGems work. Our biggest effort lately has been about rolling out MFA requirements for owners of top-most-downloaded gems. What I'd like to do afterwards is focus on gem signing using sigstore, which would make it a "one click" experience for authors. We did some work on it earlier this year[0] but chose to focus on MFA as our first big push. We also aim to devote a substantial fraction of our time to chopping wood and carrying water: looking at honeybadger exception reports, etc.
In terms of the long run there's a whole bunch that can be done to continuously harden every aspect of the Ruby supply chain. One thing we've been involved in founding is the OpenSSF Securing Software Repos working group[1], which has meant that RubyGems maintainers are now talking directly with folks from PyPI, npm, Maven Central, Cargo and others. We all face shared threats (eg, dependency confusion, resurrection attacks etc), so getting together to work collectively and share ideas has been super awesome.
[0] https://github.com/rubygems/rfcs/pull/37
[1] https://github.com/ossf/wg-securing-software-repos
-
Making popular Ruby packages more secure
That’s correct. If you’re a maintainer of a very popular gem, as of 15th August you’ll no longer be able to e.g. `gem push` if you haven’t enabled MFA on your RubyGems account. You will of course still be able to log in and enable it.
More details in the RFC: https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-r...
-
NPM Vulnerability Discussion on Twitter
> < 10% had useful 2FA enabled.
I expect this to change. NPM will roll out mandatory MFA for the most-downloaded packages[0] (RubyGems as well[1]). I expect this will rise to a 100% requirement at some point because Github's decision to require MFA by the end of 2023 will massively raise the waterline of folks who have the capability to MFA and experience with MFA.
[0] https://github.blog/2021-11-15-githubs-commitment-to-npm-eco...
[1] https://github.com/rubygems/rfcs/issues/35
-
Sigstore
The RFC trying to introduce sigstore for RubyGems is an interesting look at this in practice: https://github.com/rubygems/rfcs/pull/37
- RFC for Sigstore Rubygems Signing
- RFC: Proposal for new signing mechanism
- Require MFA for most-used gems [RubyGems RFC]
What are some alternatives?
repo
sigstore-website - Codebase for sigstore.dev
actual-malware - Useful library dependency
npm
enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert
auth - A GitHub Action for authenticating to Google Cloud.
rubygems - Library packaging and distribution for Ruby.
scorecard - OpenSSF Scorecard - Security health metrics for Open Source
package-analysis - Open Source Package Analysis
github-actions-goat - GitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment
wg-securing-software-repos - OpenSSF Working Group on Securing Software Repositories