harden-runner VS rfcs

Compare harden-runner vs rfcs and see what are their differences.

harden-runner

Network egress filtering and runtime security for GitHub-hosted and self-hosted runners (by step-security)
github-actions Actions supply-chain-security Hardening security-hardening runners egress-filtering network-security runtime-security
Source Code
stepsecurity.io
Suggest alternative
Edit details

rfcs

RubyGems + Bundler RFCs (by rubygems)
Suggest topics
Source Code
Suggest alternative
Edit details
SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
Our great sponsors
harden-runner rfcs
15 7
491 44
6.1% -
7.5 4.6
6 days ago 5 months ago
TypeScript
Apache License 2.0 -
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

harden-runner

Posts with mentions or reviews of harden-runner. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-02-19.

rfcs

Posts with mentions or reviews of rfcs. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-06-13.
  • Ruby Shield: Shopify donates $1M to stewards of rubygems, bundler
    1 project | news.ycombinator.com | 6 Jul 2022
    I can give a limited answer based on my own day-to-day work. I work in Ruby Dependency Security, which is the team who are most involved in helping out with rubygems.org and RubyGems work. Our biggest effort lately has been about rolling out MFA requirements for owners of top-most-downloaded gems. What I'd like to do afterwards is focus on gem signing using sigstore, which would make it a "one click" experience for authors. We did some work on it earlier this year[0] but chose to focus on MFA as our first big push. We also aim to devote a substantial fraction of our time to chopping wood and carrying water: looking at honeybadger exception reports, etc.

    In terms of the long run there's a whole bunch that can be done to continuously harden every aspect of the Ruby supply chain. One thing we've been involved in founding is the OpenSSF Securing Software Repos working group[1], which has meant that RubyGems maintainers are now talking directly with folks from PyPI, npm, Maven Central, Cargo and others. We all face shared threats (eg, dependency confusion, resurrection attacks etc), so getting together to work collectively and share ideas has been super awesome.

    [0] https://github.com/rubygems/rfcs/pull/37

    [1] https://github.com/ossf/wg-securing-software-repos

  • Making popular Ruby packages more secure
    6 projects | news.ycombinator.com | 13 Jun 2022
    That’s correct. If you’re a maintainer of a very popular gem, as of 15th August you’ll no longer be able to e.g. `gem push` if you haven’t enabled MFA on your RubyGems account. You will of course still be able to log in and enable it.

    More details in the RFC: https://github.com/rubygems/rfcs/blob/master/text/0007-mfa-r...

  • NPM Vulnerability Discussion on Twitter
    7 projects | news.ycombinator.com | 10 May 2022
    > < 10% had useful 2FA enabled.

    I expect this to change. NPM will roll out mandatory MFA for the most-downloaded packages[0] (RubyGems as well[1]). I expect this will rise to a 100% requirement at some point because Github's decision to require MFA by the end of 2023 will massively raise the waterline of folks who have the capability to MFA and experience with MFA.

    [0] https://github.blog/2021-11-15-githubs-commitment-to-npm-eco...

    [1] https://github.com/rubygems/rfcs/issues/35

  • Sigstore
    5 projects | news.ycombinator.com | 3 May 2022
    The RFC trying to introduce sigstore for RubyGems is an interesting look at this in practice: https://github.com/rubygems/rfcs/pull/37
  • RFC for Sigstore Rubygems Signing
    1 project | news.ycombinator.com | 28 Jan 2022
  • RFC: Proposal for new signing mechanism
    3 projects | /r/ruby | 28 Jan 2022
  • Require MFA for most-used gems [RubyGems RFC]
    1 project | /r/ruby | 20 Nov 2021

What are some alternatives?

When comparing harden-runner and rfcs you can also consider the following projects:

repo

sigstore-website - Codebase for sigstore.dev

actual-malware - Useful library dependency

npm

enquirer - Stylish, intuitive and user-friendly prompts, for Node.js. Used by eslint, webpack, yarn, pm2, pnpm, RedwoodJS, FactorJS, salesforce, Cypress, Google Lighthouse, Generate, tencent cloudbase, lint-staged, gluegun, hygen, hardhat, AWS Amplify, GitHub Actions Toolkit, @airbnb/nimbus, and many others! Please follow Enquirer's author: https://github.com/jonschlinkert

auth - A GitHub Action for authenticating to Google Cloud.

rubygems - Library packaging and distribution for Ruby.

scorecard - OpenSSF Scorecard - Security health metrics for Open Source

package-analysis - Open Source Package Analysis

github-actions-goat - GitHub Actions Goat: Deliberately Vulnerable GitHub Actions CI/CD Environment

wg-securing-software-repos - OpenSSF Working Group on Securing Software Repositories

harden-runner vs repo rfcs vs sigstore-website harden-runner vs actual-malware rfcs vs npm harden-runner vs sigstore-website rfcs vs enquirer harden-runner vs auth rfcs vs rubygems harden-runner vs scorecard rfcs vs package-analysis harden-runner vs github-actions-goat rfcs vs wg-securing-software-repos